What is the benefit of using the super global $_SERVER['PHP_SELF']?
views:
88answers:
1
+11
A:
$_SERVER['PHP_SELF'] doesn't (or shouldn't) include the domain name. It includes the path component of the url that the script was called from.
Its use is primarily to introduce cross site scripting vulnerabilities.
you can use it to fill in the action attribute of a form tag:
<form method="post" action="<?=$_SERVER['PHP_SELF']?>"></form>
If I then call your page with:
your-file-that-uses-php-self.php/("><script>eval-javascript-here</script>)
where everything in parens is urlencoded then I can inject the code into your page. If I send that link to somebody else, then I'm executing that code in their browser from your site.
aaronasterling
2010-08-10 06:28:55
I love that part *Its use is largely to introduce cross site scripting vulnerabilities*... Have my last upvote for today!
alex
2010-08-10 06:32:01
This is part of why I switched to .NET for web development. :)
Jake Petroules
2010-08-10 06:44:12
Clearly .Net is fool proof.
Justin Johnson
2010-08-10 06:48:52
That’s why you should use proper encoding for your output.
Gumbo
2010-08-10 06:49:22
@alex thanks. @Jake I totally understand. PHP makes it super easy to shoot yourself in the foot. It is possible to secure a PHP application as long as you stick to the basics though (e.g. don't trust anything from the user). The problem is that you need to know the system well enough to know what comes from the user.
aaronasterling
2010-08-10 06:50:35