how safe is $_SERVER[“HTTP_HOST”]?

Question

I have a database full of website urls, the primary key is the $_SERVER[\"HTTP_HOST\"] of the website.

When a user navigates to ... lets say www.m

Answer 1

$_SERVER["HTTP_HOST"] is the HTTP Host header, as sent from the client. That makes this header generally unsafe.

But, if you are in a typical virtual host setup in which the web server decides which script to execute based on VirtualHost configurations, which in turn are triggered by the HTTP Host header, your script should not get executed unless a known, whitelisted value was received in that header.

If the web server does not care about the Host header and executes a certain script for any and all requests, then this value could be absolutely anything.