Page 1 of 2

PHP_SELF

Posted: Mon Jul 31, 2006 1:41 pm
by PastorHank
Would someone please point me towards a good tutorial on use of the PHP_SELF variable.

Thank you'

Posted: Mon Jul 31, 2006 1:44 pm
by feyd
here's the quick and easy: don't use it. There are many other, more safe, ways to read the same value.

Posted: Mon Jul 31, 2006 2:02 pm
by PastorHank
That's discouraging.....the program I am working with uses it a lot, what is it supposed to do?

Posted: Mon Jul 31, 2006 2:10 pm
by pickle
$PHP_SELF returns the current webpage you're on. It's (I believe) an alias/shortcut to $_SERVER['PHP_SELF']. Call:

Code: Select all

echo '<pre>';
print_r($_SERVER);
echo '</pre>';
To see how it stacks up against other server variables.

As to why not to use it - I'm not sure.

Posted: Mon Jul 31, 2006 2:19 pm
by PastorHank
The thing that confuses me is that in the program I am working with it's used like this

Code: Select all

<form action="<?=$PHP_SELF?>"
And I'm having trouble locating exactly what's it's calling

Posted: Mon Jul 31, 2006 2:21 pm
by Luke
$PHP_SELF & other predefined variables are explained in the manual.

Posted: Mon Jul 31, 2006 2:22 pm
by PastorHank
No, actually they are talked about in the manual, they are not explained, which is why I asked for someone to point me towards a good tutorial about the best way to use them.

Posted: Mon Jul 31, 2006 2:24 pm
by pickle
Look at the resulting HTML source code to see what $PHP_SELF does there.
Edit: This post is # 1981 - my birth year. Completely irrelevant to this topic, but I wanted to make sure it's recorded for posterity anyway

Posted: Mon Jul 31, 2006 2:25 pm
by Luke
I would consider this an explanation:
The Manual wrote:'PHP_SELF'
The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar. The __FILE__ constant contains the full path and filename of the current (i.e. included) file.

If PHP is running as a command-line processor this variable contains the script name since PHP 4.3.0. Previously it was not available.

Posted: Mon Jul 31, 2006 2:31 pm
by PastorHank
That's nice and I read it before I posted, the issue I have is real world usage. I'm running into this variable in the code I'm working with, and in the script, I have both the original calling file, the current file, and several include include and a required file. So what I'm looking for is a place that has multiple examples of how this is used....and frankly in the script where I'm encountering it, there isn't any processing codes.

And yes, I'm slow and not overly bright, I need things spelled out....so again, my question is, could someone just point me to a stinking example or tutorial on how to use this variable and not just what the manual says it does, with a one line example...

Posted: Mon Jul 31, 2006 2:34 pm
by pickle
Webpage at http://www.foobar.com/test/stinky.php :

Code: Select all

echo <<<FORM
<form action = "$PHP_SELF">
</form>
FORM;
Will output:

Code: Select all

<form action = "/test/stinky.php">
</form>

Posted: Mon Jul 31, 2006 2:37 pm
by Luke
the problem with it is that it can contain user input, so... just like anything that can contain user input, it needs to be checked for mischief.

Here is a blog post about it:

http://blog.phpdoc.info/archives/13-guid.html

Posted: Mon Jul 31, 2006 2:39 pm
by PastorHank
Ninja,
Thank you. That's exactly what I was looking for

And Feyd
Now I know what you were talking about...

This explains all the weird stuff I was seeing


Thank you

Posted: Mon Jul 31, 2006 3:21 pm
by RobertGonzalez
Feyd taught me a while back...

Code: Select all

$php_self = basename(__FILE__);

Posted: Mon Jul 31, 2006 4:13 pm
by Ollie Saunders
$PHP_SELF isn't in PHP but quite possibly was assigned by a PHP user from $_SERVER['PHP_SELF'].

Seeing as...
PastorHank wrote:And yes, I'm slow and not overly bright, I need things spelled out
...I'll reiterate what may have already been said.

What $_SERVER['PHP_SELF'] does
PHP_SELF contains the part of the URL (query string) after the domain that was used to access the current script being executed. So the red bit below is PHP_SELF:
http://www.url.com/subdir/somePage.php?stuff=1

Why $_SERVER['PHP_SELF'] (and related) are used
Because an html form requires an action="" attribute that has to point to where the submitted form will be sent people output the content PHP_SELF in this attribute; this has the effect of sending the submitted form back to the same page that generated it. I think most people can understand that's quite a nice thing to do.

Why $_SERVER['PHP_SELF'] is dangerous
Because of the way $_SERVER['PHP_SELF'] works, if a requester puts a slash after the filename they can add any data they like to PHP_SELF. Again the red is PHP_SELF:
http://www.url.com/subdir/somePage.php/"><script>alert('Mahah I am evil!')</script>
yes i know it would be URL encoded, but i'm keeping it simple here

This means when you output PHP_SELF like this:

Code: Select all

?>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
The output you get is:

Code: Select all

<form action="/subdir/somePage.php"><script>alert('Mahah I am evil!')</script>" method="post">
A hacker can use this to enter any script (keeping the total length of the query string under 4096 chars) into the output of your site that can change the behaviour of it to exploit its users. This is called a XSS (Cross Site Scripting) attack.

Alternative to $_SERVER['PHP_SELF']
Try:

Code: Select all

$action = __FILE__;
You have to process this slightly to remove the portion that is equal to the document root and replace it with '/'; Often this is cudely achieved with basename().

>_< this post took so long to write that everybody has now definately already covered everything I've said here. Oh well :(