PHP_SELF question ?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
staar2
Forum Commoner
Posts: 83
Joined: Fri Apr 06, 2007 2:57 am

PHP_SELF question ?

Post by staar2 »

Is it safe to use $_SERVER['PHP_SELF'] in action="" or in Urls like $PHP_SELF?page=home or should some other safer method ?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

No. PHP_SELF contains user input which could easily be HTML, thereby injecting HTML into your page.

Actions can be "#" and links can simply be "?foo=bar"
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

No, it's not. Not without any kind of filtering. That'd be asking for XSS!
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Form actions can be as simple as "#", which causes the page to post back to itself and anchor to the top of the page. You could also use basename(__FILE__) or basename($_SERVER['SCRIPT_FILENAME']), though the server variables are not always consistent across server platforms.

PHP_SELF should not be used unless you want to A) Clean the heck out of it before presenting it to view; or B) get your site hacked to bits.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Form actions can be as simple as "#"
Or empty as well.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Afaik, the only reason that we (as in phpdn) started using '#' as action was because someone reported that his (very exotic browser) crashed on ''... But that is at least 2 years ago...
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

[quote="Everah"]....A) Clean the heck out of it before presenting it to view;...

I guess this cleans the heck out of it

Code: Select all

echo substr($_SERVER['PHP_SELF'], 0, (strlen($_SERVER['PHP_SELF']) - @strlen($_SERVER['PATH_INFO'])));
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

jmut wrote:
Everah wrote:....A) Clean the heck out of it before presenting it to view;...

I guess this cleans the heck out of it

Code: Select all

echo substr($_SERVER['PHP_SELF'], 0, (strlen($_SERVER['PHP_SELF']) - @strlen($_SERVER['PATH_INFO'])));
How well does that work for mod_rewrite urls?
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

Are there any problems with it? I have got none so far. maybe some specific scenario?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I try to stay away from PHP_SELF, for the very reason that it needs to be cleaned. There are many ways to get at what you want without having to use it. In fact, if you are pumping everything through a front controller, you can literally build your own URL's using your content from the database.
Post Reply