Is it safe to use $_SERVER?

I’ve looked at other answers and I see that $_SERVER['REQUEST_URI'] is usually recommended and is the accepted answer for getting the current page URI along with $_SERVER['HTTP_HOST'].

I looked at the WP source code and it’s widely used there too.

But I found some controversy about it not working on IIS. Perhaps it was only an issue in the past? I even tried to install IIS in my PC to check it out but I can’t configure it and it seems like an overkill just to confirm this.

It seems like it’s the only SERVER variable that includes the information I want:


the highlighted example part is added via NextGEN Gallery 2 and is only accessible through the $_SERVER['REQUEST_URI'], nothing else. Previously it was accessible using get_query_var, not anymore.

If $_SERVER['REQUEST_URI'] is not set, faking it through setting it manually and creating it based on PHP_SELF and QUERY_STRING brings inequivalent results.

So is it safe to rely on $_SERVER['REQUEST_URI'] being always available for use on WP installs? I assume it is since the WP core code uses it, but I had to ask.

Solutions Collecting From Web of "Is it safe to use $_SERVER?"

$_SERVER['REQUEST_URI'] will not be empty in WordPress, because it is filled in wp_fix_server_vars() (file wp-includes/load.php).

This function is called in wp-settings.php before any plugin is loaded. So you can use it.

But always escape the value. It is global and can be changed by any other code, so you cannot trust its value.

A different case is accessing the value per

filter_input(INPUT_SERVER, 'REQUEST_URI'); 

The write access by WordPress will not affect the value, because filter_input() is always taking the original value. So while this is the more modern and clean approach, it might fail in some circumstances. See also this thread on Stack Overflow.