Page 1 of 1

php_self not working

Posted: Mon Jul 16, 2007 11:37 pm
by wasir
Is it correct that there should be one php_self per page...? I am trying to acheive few different tasks from one flow of script using if.
Any button with $_SERVER['PHP_SELF'] action logs me out of the page. What am I doing wrong here...

Code: Select all

<?php
include ('functions.php5');
session_start();

if ((isset($_SESSION['valid_user'])) && ($_SESSION['group'] == admin)) {
 	$username = $_GET['un'];
 	$edit = $_POST['editable'];
	
	if ($edit == delete) {
		if (isset($_GET['delete']) && $_GET['delete'] == 'no') {
    		header('location: admusers.php5');
		}
		if (isset($_GET['delete']) && $_GET['delete'] == 'yes') {
			if (!$resultdel = @mysqli_query($link, 'DELETE FROM users WHERE username=\'' . $username . '\'')) {
        		echo getHeader();
        		echo '<p>Error2: ' . mysqli_error($link) . '.</p>';
        		echo getFooter();
        		exit;
    		}
    		echo getHeader();
    		echo '<p> Successfully deleted. </p>';
    		echo '<p class=nav><a href=admusers.php5>back</a></p>';
    		echo getFooter();
    		exit;
		}
		echo getHeader();
		echo '<p>This will delete the user account. Are you sure?</p>';
		echo '<p> <a href=' . $_SERVER['PHP_SELF'] . '?delete=yes>yes</a> | <a href=' . $_SERVER['PHP_SELF'] . '?delete=no>no</a> </p>';
		echo '<p class=nav><a href=admusers.php5>back</a></p>';
		echo getFooter();
		exit;
	}
	
	if ($edit == password) {
		if (isset($_GET['password']) && $_GET['password'] == 'no') {
    		header('location: admusers.php5');
		}
		if (isset($_GET['password']) && $_GET['password'] == 'yes') {
			if (!$resultpw = @mysqli_query($link, 'UPDATE `users` SET `password` = sha1(\'password\') WHERE `username` = \'' . $username . '\'')) {
        		echo getHeader();
        		echo '<p>Error2: ' . mysqli_error($link) . '.</p>';
        		echo getFooter();
        		exit;
    		}
    		echo getHeader();
    		echo '<p> Password has been reset successfully. </p>';
    		echo '<p class=nav><a href=admusers.php5>back</a></p>';
    		echo getFooter();
    		exit;
		}
		echo getHeader();
		echo '<p>This will reset user\'s password. Are you sure?</p>';
		echo '<p> <a href=' . $_SERVER['PHP_SELF'] . '?password=yes>yes</a> | <a href=' . $_SERVER['PHP_SELF'] . '?password=no>no</a> </p>';
		echo '<p class=nav><a href=admusers.php5>back</a></p>';
		echo getFooter();
		exit;
	}
	
	if ($edit == group) {
		if (isset($_GET['grp'])) {
			if (!$resultgp = @mysqli_query($link, 'UPDATE `users` SET `link` = ' . $_GET['group'] . ' WHERE `username` = \'' . $username . '\'')) {
        		echo getHeader();
        		echo '<p>Error2: ' . mysqli_error($link) . '.</p>';
        		echo getFooter();
        		exit;
    		}
    		echo getheader();
    		echo '<p>Group updated.</p>';
    		echo '<p class=nav><a href=admusers.php5>back</a></p>';
    		echo getFooter();
    		exit;
		}
		echo getHeader();
		echo '<p>Please select the group to assign:</p>';
		echo '<p> <a href=' . $_SERVER['PHP_SELF'] . '?grp=admin>admin</a> (Building Manager) | <a href=' . $_SERVER['PHP_SELF'] . '?grp=member>member</a> (Body Corporate Member)</p>';
		echo '<p class=nav><a href=admusers.php5>back</a></p>';
    	echo getFooter();
    	exit;
	}
	
	if (isset($_POST['submit'])) {
		if (!$result = @mysqli_query($link, 'UPDATE `users` SET ' . $edit . ' = ' . $_POST['editable'] . ' WHERE `username` = \'' . $username . '\'')) {
        	echo getHeader();
        	echo '<p>Error2: ' . mysqli_error($link) . '.</p>';
        	echo getFooter();
        	exit;
    	}
    	echo getHeader();
    	echo '<p>Please give new ' . $edit . '</p>';
    	echo '<p><form action=' . $_SERVER['PHP_SELF'] . ' method=post>';
    	echo '<input type=text name=editable maxlength=50 />';
    	echo '<input type=submit name=submit value=update />';
    	echo '</form></p>';
		echo '<p class=nav><a href=admusers.php5>back</a></p>';
    	echo getFooter();
    	exit;
	}
}
echo getHeader();
echo '<p> You are not logged in.</p>';
echo '<p class=nav><a href=login.php5>login</a></p>';
echo getFooter();
?>

Posted: Tue Jul 17, 2007 12:02 am
by RobertGonzalez
You can use $_SERVER['PHP_SELF'] anywhere and as often as you like, but it is not safe to use it. You can use basename(__FILE__) instead, or for form post actions, you can use a simple '#'.

Posted: Tue Jul 17, 2007 12:21 am
by Luke
<shameless plug>

I recently wrote an article about how and why PHP_SELF is insecure
http://www.mc2design.com/blog/php_self- ... tle-rascal

</shameless plug>

Posted: Tue Jul 17, 2007 12:26 am
by RobertGonzalez
That is a great article Ninja. I think I will be plugging that on my blog real soon.