Page 1 of 1

php 5.2.1 PHP_SELF is safe now?

Posted: Wed Mar 07, 2007 3:04 am
by jmut
Hi folks,

Decided to spend some time to day just to read latest php changelog.

http://www.php.net/ChangeLog-5.php#5.2.1

There is line saying
"Make sure PHP_SELF is filtered in Apache 1 sapi."

Maybe I am wrong but does that mean that with apache 1 and php 5 'PHP_SELF' server variable is now save?

Posted: Wed Mar 07, 2007 4:26 am
by Mordred
Filtered how?
Safe for doing what?

PHP_SELF contains user-controlled data and should always be treated as user input.

The change in the log probably refers to some internal "filtering", meaning nothing was changed when looked from the outside.

Edit: Wait, it looks like it is about a change in the "Filter Extension", meaning this: http://pecl.php.net/package/filter
So this only affects you if you use this extension.

Strange, as I go over the API, I don't see a possibility of not filtering PHP_SELF, as you always specify the input array AND the index in it:

Code: Select all

$foo = filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_SPECIAL_CHARS);