PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
Ollie Saunders
DevNet Master
Posts: 3179 Joined: Tue May 24, 2005 6:01 pm
Location: UK
Post
by Ollie Saunders » Tue Jul 11, 2006 3:50 pm
I don't use PHP_SELF personally because of the security risks.
If you need to submit a form to the same location as it was requested from you can use a dot
Otherwise look to
the other $_SERVER elements .
tecktalkcm0391
DevNet Resident
Posts: 1030 Joined: Fri May 26, 2006 9:25 am
Location: Florida
Post
by tecktalkcm0391 » Tue Jul 11, 2006 3:53 pm
what are the security risks but ok . is good didn't know that thanks!
Ollie Saunders
DevNet Master
Posts: 3179 Joined: Tue May 24, 2005 6:01 pm
Location: UK
Post
by Ollie Saunders » Tue Jul 11, 2006 4:02 pm
This request:
Code: Select all
http://www.siteThatUsesPHP_SELF.com/?"><script>alert('evil hack!')</script><a id="
and this PHP:
Code: Select all
echo '<form action="'.$_SERVER['PHP_SELF'].'" method="post">';
will produce this:
<form action="http://www.siteThatUsesPHP_SELF.com/"> <script>alert('evil hack!')</script> <a id="" method="post>
or something like that.
tecktalkcm0391
DevNet Resident
Posts: 1030 Joined: Fri May 26, 2006 9:25 am
Location: Florida
Post
by tecktalkcm0391 » Tue Jul 11, 2006 4:08 pm
the .dot. does not work it brings me from site.com/folder/file.php to site.com/folder/
RobertGonzalez
Site Administrator
Posts: 14293 Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA
Post
by RobertGonzalez » Tue Jul 11, 2006 4:17 pm
Have you tried the PHP constant __FILE__?
Benjamin
Site Administrator
Posts: 6935 Joined: Sun May 19, 2002 10:24 pm
Post
by Benjamin » Tue Jul 11, 2006 4:23 pm
Try this...
Code: Select all
$SELF_URL = strtolower(strtok($_SERVER['SERVER_PROTOCOL'], '/')).'://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'];
Benjamin
Site Administrator
Posts: 6935 Joined: Sun May 19, 2002 10:24 pm
Post
by Benjamin » Tue Jul 11, 2006 4:31 pm
Ok, so besides the fact that there is an extra forward slash in the url, what is wrong with it? Are you using uppercase letters in your actual url? If so remove the strtolower() function from the code I gave you.
tecktalkcm0391
DevNet Resident
Posts: 1030 Joined: Fri May 26, 2006 9:25 am
Location: Florida
Post
by tecktalkcm0391 » Tue Jul 11, 2006 4:41 pm
the :81 is what i think is happening to make it not work
Benjamin
Site Administrator
Posts: 6935 Joined: Sun May 19, 2002 10:24 pm
Post
by Benjamin » Tue Jul 11, 2006 4:58 pm
Works for me.