Page 1 of 1

PHP_SELF question ?

Posted: Wed May 02, 2007 1:28 pm
by staar2
Is it safe to use $_SERVER['PHP_SELF'] in action="" or in Urls like $PHP_SELF?page=home or should some other safer method ?

Posted: Wed May 02, 2007 1:51 pm
by feyd
No. PHP_SELF contains user input which could easily be HTML, thereby injecting HTML into your page.

Actions can be "#" and links can simply be "?foo=bar"

Posted: Wed May 02, 2007 1:51 pm
by Oren
No, it's not. Not without any kind of filtering. That'd be asking for XSS!

Posted: Wed May 02, 2007 2:04 pm
by RobertGonzalez
Form actions can be as simple as "#", which causes the page to post back to itself and anchor to the top of the page. You could also use basename(__FILE__) or basename($_SERVER['SCRIPT_FILENAME']), though the server variables are not always consistent across server platforms.

PHP_SELF should not be used unless you want to A) Clean the heck out of it before presenting it to view; or B) get your site hacked to bits.

Posted: Wed May 02, 2007 5:41 pm
by Weirdan
Form actions can be as simple as "#"
Or empty as well.

Posted: Thu May 03, 2007 12:43 am
by timvw
Afaik, the only reason that we (as in phpdn) started using '#' as action was because someone reported that his (very exotic browser) crashed on ''... But that is at least 2 years ago...

Posted: Fri May 04, 2007 12:42 am
by jmut
[quote="Everah"]....A) Clean the heck out of it before presenting it to view;...

I guess this cleans the heck out of it

Code: Select all

echo substr($_SERVER['PHP_SELF'], 0, (strlen($_SERVER['PHP_SELF']) - @strlen($_SERVER['PATH_INFO'])));

Posted: Fri May 04, 2007 12:55 am
by timvw
jmut wrote:
Everah wrote:....A) Clean the heck out of it before presenting it to view;...

I guess this cleans the heck out of it

Code: Select all

echo substr($_SERVER['PHP_SELF'], 0, (strlen($_SERVER['PHP_SELF']) - @strlen($_SERVER['PATH_INFO'])));
How well does that work for mod_rewrite urls?

Posted: Fri May 04, 2007 1:00 am
by jmut
Are there any problems with it? I have got none so far. maybe some specific scenario?

Posted: Fri May 04, 2007 1:04 am
by RobertGonzalez
I try to stay away from PHP_SELF, for the very reason that it needs to be cleaned. There are many ways to get at what you want without having to use it. In fact, if you are pumping everything through a front controller, you can literally build your own URL's using your content from the database.