Page 1 of 1

Filtering $_SERVER['PHP_SELF'] for security

Posted: Thu Apr 06, 2006 2:47 pm
by Bill H
I have a form in a script that is going to be used by (included in) several different other scripts, thereby becoming part of the script that included it. Obviously, the <form> tag needs a differing "action" depending on the script that called it. It seems that $_SERVER['PHP_SELF'] is pretty much the obvious choice for that purpose. I am told, however, that I then need to "filter" the global variable for security reasons. Where do I filter it, what is meant by filtering it, and how do I go about doing it?

Posted: Thu Apr 06, 2006 3:26 pm
by timvw
I said that if you really insist on using $_SERVER['PHP_SELF'] you should make sure that it doesn't allow others to insert malicious code into yours (I'm sure you already know this, but those who don't: some explanation)

Around the time of that post there was a lot of talk about how this could be prevented by filtering. It seemed that for every filter someone was able to find a way to circumvent the filter so i thought it was time to rethink the whole problem. I found that simply using # as value for the action attribute in a form is a better solution.

Posted: Thu Apr 06, 2006 3:28 pm
by Buddha443556
How about $_SERVER['SCRIPT_NAME']? It's usually available on both Apache and IIS. Doesn't suffer the same problem as $_SERVER['PHP_SELF'].

Posted: Thu Apr 06, 2006 3:32 pm
by timvw
Buddha443556 wrote:How about $_SERVER['SCRIPT_NAME']? It's usually available on both Apache and IIS. Doesn't suffer the same problem as $_SERVER['PHP_SELF'].
Have a look at the comments at http://shiflett.org/archive/98 :)

I still find that "#" the easiest solution. (Initially i used "" (empty string) but some browsers didn't seem to like it very much).

Posted: Thu Apr 06, 2006 3:48 pm
by Buddha443556
timvw wrote:
Buddha443556 wrote:How about $_SERVER['SCRIPT_NAME']? It's usually available on both Apache and IIS. Doesn't suffer the same problem as $_SERVER['PHP_SELF'].
Have a look at the comments at http://shiflett.org/archive/98 :)

I still find that "#" the easiest solution. (Initially i used "" (empty string) but some browsers didn't seem to like it very much).
Point taken. I got some fixing to do. :oops: