php - how safe is $_SERVER["HTTP_HOST"]?

Question

I have a database full of website urls, the primary key is the $_SERVER["HTTP_HOST"] of the website.

When a user navigates to ... lets say www.my-epic-example-url.com, It will connect the the database and use the $_SERVER["HTTP_HOST"] of that websites, then fetches all the data referencing that website!

What I want to know is, how safe is $_SERVER["HTTP_HOST"] ?

Can it be externally modified?

The only reason i ask is because i read an artical a while back ( cant remember where it was ) saying be careful when using $_SERVER because it is unsafe...

Is this true?

Answer 1

$_SERVER["HTTP_HOST"] is the HTTP Host header, as sent from the client. That makes this header generally unsafe.

But, if you are in a typical virtual host setup in which the web server decides which script to execute based on VirtualHost configurations, which in turn are triggered by the HTTP Host header, your script should not get executed unless a known, whitelisted value was received in that header.

If the web server does not care about the Host header and executes a certain script for any and all requests, then this value could be absolutely anything.