PHP_SELF

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

PastorHank
Forum Contributor
Posts: 117
Joined: Sat Jun 03, 2006 7:58 am
Location: Texas Hill Country

PHP_SELF

Post by PastorHank »

Would someone please point me towards a good tutorial on use of the PHP_SELF variable.

Thank you'
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

here's the quick and easy: don't use it. There are many other, more safe, ways to read the same value.
PastorHank
Forum Contributor
Posts: 117
Joined: Sat Jun 03, 2006 7:58 am
Location: Texas Hill Country

Post by PastorHank »

That's discouraging.....the program I am working with uses it a lot, what is it supposed to do?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

$PHP_SELF returns the current webpage you're on. It's (I believe) an alias/shortcut to $_SERVER['PHP_SELF']. Call:

Code: Select all

echo '<pre>';
print_r($_SERVER);
echo '</pre>';
To see how it stacks up against other server variables.

As to why not to use it - I'm not sure.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
PastorHank
Forum Contributor
Posts: 117
Joined: Sat Jun 03, 2006 7:58 am
Location: Texas Hill Country

Post by PastorHank »

The thing that confuses me is that in the program I am working with it's used like this

Code: Select all

<form action="<?=$PHP_SELF?>"
And I'm having trouble locating exactly what's it's calling
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

$PHP_SELF & other predefined variables are explained in the manual.
PastorHank
Forum Contributor
Posts: 117
Joined: Sat Jun 03, 2006 7:58 am
Location: Texas Hill Country

Post by PastorHank »

No, actually they are talked about in the manual, they are not explained, which is why I asked for someone to point me towards a good tutorial about the best way to use them.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Look at the resulting HTML source code to see what $PHP_SELF does there.
Edit: This post is # 1981 - my birth year. Completely irrelevant to this topic, but I wanted to make sure it's recorded for posterity anyway
Last edited by pickle on Mon Jul 31, 2006 3:42 pm, edited 1 time in total.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

I would consider this an explanation:
The Manual wrote:'PHP_SELF'
The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar. The __FILE__ constant contains the full path and filename of the current (i.e. included) file.

If PHP is running as a command-line processor this variable contains the script name since PHP 4.3.0. Previously it was not available.
PastorHank
Forum Contributor
Posts: 117
Joined: Sat Jun 03, 2006 7:58 am
Location: Texas Hill Country

Post by PastorHank »

That's nice and I read it before I posted, the issue I have is real world usage. I'm running into this variable in the code I'm working with, and in the script, I have both the original calling file, the current file, and several include include and a required file. So what I'm looking for is a place that has multiple examples of how this is used....and frankly in the script where I'm encountering it, there isn't any processing codes.

And yes, I'm slow and not overly bright, I need things spelled out....so again, my question is, could someone just point me to a stinking example or tutorial on how to use this variable and not just what the manual says it does, with a one line example...
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Webpage at http://www.foobar.com/test/stinky.php :

Code: Select all

echo <<<FORM
<form action = "$PHP_SELF">
</form>
FORM;
Will output:

Code: Select all

<form action = "/test/stinky.php">
</form>
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

the problem with it is that it can contain user input, so... just like anything that can contain user input, it needs to be checked for mischief.

Here is a blog post about it:

http://blog.phpdoc.info/archives/13-guid.html
PastorHank
Forum Contributor
Posts: 117
Joined: Sat Jun 03, 2006 7:58 am
Location: Texas Hill Country

Post by PastorHank »

Ninja,
Thank you. That's exactly what I was looking for

And Feyd
Now I know what you were talking about...

This explains all the weird stuff I was seeing


Thank you
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Feyd taught me a while back...

Code: Select all

$php_self = basename(__FILE__);
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

$PHP_SELF isn't in PHP but quite possibly was assigned by a PHP user from $_SERVER['PHP_SELF'].

Seeing as...
PastorHank wrote:And yes, I'm slow and not overly bright, I need things spelled out
...I'll reiterate what may have already been said.

What $_SERVER['PHP_SELF'] does
PHP_SELF contains the part of the URL (query string) after the domain that was used to access the current script being executed. So the red bit below is PHP_SELF:
http://www.url.com/subdir/somePage.php?stuff=1

Why $_SERVER['PHP_SELF'] (and related) are used
Because an html form requires an action="" attribute that has to point to where the submitted form will be sent people output the content PHP_SELF in this attribute; this has the effect of sending the submitted form back to the same page that generated it. I think most people can understand that's quite a nice thing to do.

Why $_SERVER['PHP_SELF'] is dangerous
Because of the way $_SERVER['PHP_SELF'] works, if a requester puts a slash after the filename they can add any data they like to PHP_SELF. Again the red is PHP_SELF:
http://www.url.com/subdir/somePage.php/"><script>alert('Mahah I am evil!')</script>
yes i know it would be URL encoded, but i'm keeping it simple here

This means when you output PHP_SELF like this:

Code: Select all

?>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
The output you get is:

Code: Select all

<form action="/subdir/somePage.php"><script>alert('Mahah I am evil!')</script>" method="post">
A hacker can use this to enter any script (keeping the total length of the query string under 4096 chars) into the output of your site that can change the behaviour of it to exploit its users. This is called a XSS (Cross Site Scripting) attack.

Alternative to $_SERVER['PHP_SELF']
Try:

Code: Select all

$action = __FILE__;
You have to process this slightly to remove the portion that is equal to the document root and replace it with '/'; Often this is cudely achieved with basename().

>_< this post took so long to write that everybody has now definately already covered everything I've said here. Oh well :(
Post Reply