PHP_SELF
Moderator: General Moderators
-
PastorHank
- Forum Contributor
- Posts: 117
- Joined: Sat Jun 03, 2006 7:58 am
- Location: Texas Hill Country
PHP_SELF
Would someone please point me towards a good tutorial on use of the PHP_SELF variable.
Thank you'
Thank you'
-
PastorHank
- Forum Contributor
- Posts: 117
- Joined: Sat Jun 03, 2006 7:58 am
- Location: Texas Hill Country
$PHP_SELF returns the current webpage you're on. It's (I believe) an alias/shortcut to $_SERVER['PHP_SELF']. Call:
To see how it stacks up against other server variables.
As to why not to use it - I'm not sure.
Code: Select all
echo '<pre>';
print_r($_SERVER);
echo '</pre>';As to why not to use it - I'm not sure.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
-
PastorHank
- Forum Contributor
- Posts: 117
- Joined: Sat Jun 03, 2006 7:58 am
- Location: Texas Hill Country
The thing that confuses me is that in the program I am working with it's used like this
And I'm having trouble locating exactly what's it's calling
Code: Select all
<form action="<?=$PHP_SELF?>"-
PastorHank
- Forum Contributor
- Posts: 117
- Joined: Sat Jun 03, 2006 7:58 am
- Location: Texas Hill Country
Look at the resulting HTML source code to see what $PHP_SELF does there.
Edit: This post is # 1981 - my birth year. Completely irrelevant to this topic, but I wanted to make sure it's recorded for posterity anyway
Edit: This post is # 1981 - my birth year. Completely irrelevant to this topic, but I wanted to make sure it's recorded for posterity anyway
Last edited by pickle on Mon Jul 31, 2006 3:42 pm, edited 1 time in total.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
I would consider this an explanation:
The Manual wrote:'PHP_SELF'
The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar. The __FILE__ constant contains the full path and filename of the current (i.e. included) file.
If PHP is running as a command-line processor this variable contains the script name since PHP 4.3.0. Previously it was not available.
-
PastorHank
- Forum Contributor
- Posts: 117
- Joined: Sat Jun 03, 2006 7:58 am
- Location: Texas Hill Country
That's nice and I read it before I posted, the issue I have is real world usage. I'm running into this variable in the code I'm working with, and in the script, I have both the original calling file, the current file, and several include include and a required file. So what I'm looking for is a place that has multiple examples of how this is used....and frankly in the script where I'm encountering it, there isn't any processing codes.
And yes, I'm slow and not overly bright, I need things spelled out....so again, my question is, could someone just point me to a stinking example or tutorial on how to use this variable and not just what the manual says it does, with a one line example...
And yes, I'm slow and not overly bright, I need things spelled out....so again, my question is, could someone just point me to a stinking example or tutorial on how to use this variable and not just what the manual says it does, with a one line example...
Webpage at http://www.foobar.com/test/stinky.php :
Will output:
Code: Select all
echo <<<FORM
<form action = "$PHP_SELF">
</form>
FORM;Code: Select all
<form action = "/test/stinky.php">
</form>Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
the problem with it is that it can contain user input, so... just like anything that can contain user input, it needs to be checked for mischief.
Here is a blog post about it:
http://blog.phpdoc.info/archives/13-guid.html
Here is a blog post about it:
http://blog.phpdoc.info/archives/13-guid.html
-
PastorHank
- Forum Contributor
- Posts: 117
- Joined: Sat Jun 03, 2006 7:58 am
- Location: Texas Hill Country
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Feyd taught me a while back...
Code: Select all
$php_self = basename(__FILE__);- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
$PHP_SELF isn't in PHP but quite possibly was assigned by a PHP user from $_SERVER['PHP_SELF'].
Seeing as...
What $_SERVER['PHP_SELF'] does
PHP_SELF contains the part of the URL (query string) after the domain that was used to access the current script being executed. So the red bit below is PHP_SELF:
http://www.url.com/subdir/somePage.php?stuff=1
Why $_SERVER['PHP_SELF'] (and related) are used
Because an html form requires an action="" attribute that has to point to where the submitted form will be sent people output the content PHP_SELF in this attribute; this has the effect of sending the submitted form back to the same page that generated it. I think most people can understand that's quite a nice thing to do.
Why $_SERVER['PHP_SELF'] is dangerous
Because of the way $_SERVER['PHP_SELF'] works, if a requester puts a slash after the filename they can add any data they like to PHP_SELF. Again the red is PHP_SELF:
http://www.url.com/subdir/somePage.php/"><script>alert('Mahah I am evil!')</script>
yes i know it would be URL encoded, but i'm keeping it simple here
This means when you output PHP_SELF like this:
The output you get is:
A hacker can use this to enter any script (keeping the total length of the query string under 4096 chars) into the output of your site that can change the behaviour of it to exploit its users. This is called a XSS (Cross Site Scripting) attack.
Alternative to $_SERVER['PHP_SELF']
Try:
You have to process this slightly to remove the portion that is equal to the document root and replace it with '/'; Often this is cudely achieved with basename().
>_< this post took so long to write that everybody has now definately already covered everything I've said here. Oh well
Seeing as...
...I'll reiterate what may have already been said.PastorHank wrote:And yes, I'm slow and not overly bright, I need things spelled out
What $_SERVER['PHP_SELF'] does
PHP_SELF contains the part of the URL (query string) after the domain that was used to access the current script being executed. So the red bit below is PHP_SELF:
http://www.url.com/subdir/somePage.php?stuff=1
Why $_SERVER['PHP_SELF'] (and related) are used
Because an html form requires an action="" attribute that has to point to where the submitted form will be sent people output the content PHP_SELF in this attribute; this has the effect of sending the submitted form back to the same page that generated it. I think most people can understand that's quite a nice thing to do.
Why $_SERVER['PHP_SELF'] is dangerous
Because of the way $_SERVER['PHP_SELF'] works, if a requester puts a slash after the filename they can add any data they like to PHP_SELF. Again the red is PHP_SELF:
http://www.url.com/subdir/somePage.php/"><script>alert('Mahah I am evil!')</script>
yes i know it would be URL encoded, but i'm keeping it simple here
This means when you output PHP_SELF like this:
Code: Select all
?>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">Code: Select all
<form action="/subdir/somePage.php"><script>alert('Mahah I am evil!')</script>" method="post">
Alternative to $_SERVER['PHP_SELF']
Try:
Code: Select all
$action = __FILE__;>_< this post took so long to write that everybody has now definately already covered everything I've said here. Oh well