Filtering $_SERVER['PHP_SELF'] for security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Filtering $_SERVER['PHP_SELF'] for security

Post by Bill H »

I have a form in a script that is going to be used by (included in) several different other scripts, thereby becoming part of the script that included it. Obviously, the <form> tag needs a differing "action" depending on the script that called it. It seems that $_SERVER['PHP_SELF'] is pretty much the obvious choice for that purpose. I am told, however, that I then need to "filter" the global variable for security reasons. Where do I filter it, what is meant by filtering it, and how do I go about doing it?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I said that if you really insist on using $_SERVER['PHP_SELF'] you should make sure that it doesn't allow others to insert malicious code into yours (I'm sure you already know this, but those who don't: some explanation)

Around the time of that post there was a lot of talk about how this could be prevented by filtering. It seemed that for every filter someone was able to find a way to circumvent the filter so i thought it was time to rethink the whole problem. I found that simply using # as value for the action attribute in a form is a better solution.
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

How about $_SERVER['SCRIPT_NAME']? It's usually available on both Apache and IIS. Doesn't suffer the same problem as $_SERVER['PHP_SELF'].
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Buddha443556 wrote:How about $_SERVER['SCRIPT_NAME']? It's usually available on both Apache and IIS. Doesn't suffer the same problem as $_SERVER['PHP_SELF'].
Have a look at the comments at http://shiflett.org/archive/98 :)

I still find that "#" the easiest solution. (Initially i used "" (empty string) but some browsers didn't seem to like it very much).
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

timvw wrote:
Buddha443556 wrote:How about $_SERVER['SCRIPT_NAME']? It's usually available on both Apache and IIS. Doesn't suffer the same problem as $_SERVER['PHP_SELF'].
Have a look at the comments at http://shiflett.org/archive/98 :)

I still find that "#" the easiest solution. (Initially i used "" (empty string) but some browsers didn't seem to like it very much).
Point taken. I got some fixing to do. :oops:
Post Reply