Page 1 of 1
a question about $_SERVER['PHP_SELF']
Posted: Sun Sep 27, 2009 3:36 am
by mayanktalwar1988
hey if the curent executing script url of mine is like this localhost/pro/topic.php?id=2
and if i used $_SERVER['PHP_SELF] in the same script
in one of statements like this
echo " <a class=\"pagination\" href='{$_SERVER['PHP_SELF']}?pagenum=$next&id=$id'>'>Next -></a> ";
then the link followed by the above statement will be like this localhost/pro/topic.php?pagenum=1&id=2
or it will be like this localhost/pro/topic.php?id=2pagenum=1&id=2 which i dont want?
Re: a question about $_SERVER['PHP_SELF']
Posted: Sun Sep 27, 2009 3:46 am
by requinix
Have you tried it to see what happens?
Re: a question about $_SERVER['PHP_SELF']
Posted: Sun Sep 27, 2009 4:57 am
by jackpf
tasairis wrote:Have you tried it to see what happens?
+1
Re: a question about $_SERVER['PHP_SELF']
Posted: Sun Sep 27, 2009 2:07 pm
by mayanktalwar1988
i knew you gonna ask me this question..and answer is nooo......if i have treid that then i havnt asked this question

Re: a question about $_SERVER['PHP_SELF']
Posted: Sun Sep 27, 2009 2:56 pm
by Eran
if i have tried that then i havnt asked this question
I think this is the point they were trying to make
Re: a question about $_SERVER['PHP_SELF']
Posted: Sun Sep 27, 2009 3:15 pm
by jackpf
mayanktalwar1988 wrote:i knew you gonna ask me this question..and answer is nooo......if i have treid that then i havnt asked this question

Try it then numpty.
Re: a question about $_SERVER['PHP_SELF']
Posted: Sun Sep 27, 2009 3:19 pm
by mayanktalwar1988
numpty .great....... i am gona try it tommorow just trying to add pagination to my already existing script.
Re: a question about $_SERVER['PHP_SELF']
Posted: Sun Sep 27, 2009 4:03 pm
by jackpf
Lol. Sorry.
But honestly, why didn't you just try it yourself? It probably takes longer to post than it would to just make a test script...
Re: a question about $_SERVER['PHP_SELF']
Posted: Sun Sep 27, 2009 10:44 pm
by Eric!
FYI - That echo is open to xss like REQUEST_URI. As I found out by playing with it a few weeks ago so don't forget to filter it before echoing it out.
Re: a question about $_SERVER['PHP_SELF']
Posted: Mon Sep 28, 2009 12:59 am
by mayanktalwar1988
hey u the person who called me numpty..i am not numpty (i am a little numpty)
i m lazy
here your anwser
/pro/topic.php
by the way i love this forum...

Re: a question about $_SERVER['PHP_SELF']
Posted: Mon Sep 28, 2009 5:37 am
by jackpf
Eric! wrote:FYI - That echo is open to xss like REQUEST_URI. As I found out by playing with it a few weeks ago so don't forget to filter it before echoing it out.
So is PHP_SELF. Stuff after a slash after the extension is considered as part of PHP_SELF.
So say you had "blah.php" which contained
If you were to go to
http://....com/blah.php/<script>alert('XSS');</script>
you can inject javascript etc...as well.
hey u the person who called me numpty..i am not numpty (i am a little numpty)
i m lazy
Think about it - if everyone asked everything like that here instead of trying it themselves...how ridiculous would this forum become? And I did apologise
