Filtering $_SERVER['PHP_SELF'] for security
Moderator: General Moderators
- Bill H
- DevNet Resident
- Posts: 1136
- Joined: Sat Jun 01, 2002 10:16 am
- Location: San Diego CA
- Contact:
Filtering $_SERVER['PHP_SELF'] for security
I have a form in a script that is going to be used by (included in) several different other scripts, thereby becoming part of the script that included it. Obviously, the <form> tag needs a differing "action" depending on the script that called it. It seems that $_SERVER['PHP_SELF'] is pretty much the obvious choice for that purpose. I am told, however, that I then need to "filter" the global variable for security reasons. Where do I filter it, what is meant by filtering it, and how do I go about doing it?
I said that if you really insist on using $_SERVER['PHP_SELF'] you should make sure that it doesn't allow others to insert malicious code into yours (I'm sure you already know this, but those who don't: some explanation)
Around the time of that post there was a lot of talk about how this could be prevented by filtering. It seemed that for every filter someone was able to find a way to circumvent the filter so i thought it was time to rethink the whole problem. I found that simply using # as value for the action attribute in a form is a better solution.
Around the time of that post there was a lot of talk about how this could be prevented by filtering. It seemed that for every filter someone was able to find a way to circumvent the filter so i thought it was time to rethink the whole problem. I found that simply using # as value for the action attribute in a form is a better solution.
- Buddha443556
- Forum Regular
- Posts: 873
- Joined: Fri Mar 19, 2004 1:51 pm
Have a look at the comments at http://shiflett.org/archive/98Buddha443556 wrote:How about $_SERVER['SCRIPT_NAME']? It's usually available on both Apache and IIS. Doesn't suffer the same problem as $_SERVER['PHP_SELF'].
I still find that "#" the easiest solution. (Initially i used "" (empty string) but some browsers didn't seem to like it very much).
- Buddha443556
- Forum Regular
- Posts: 873
- Joined: Fri Mar 19, 2004 1:51 pm
Point taken. I got some fixing to do.timvw wrote:Have a look at the comments at http://shiflett.org/archive/98Buddha443556 wrote:How about $_SERVER['SCRIPT_NAME']? It's usually available on both Apache and IIS. Doesn't suffer the same problem as $_SERVER['PHP_SELF'].
I still find that "#" the easiest solution. (Initially i used "" (empty string) but some browsers didn't seem to like it very much).