tags:

views:

52

answers:

2
+1  Q: 

Getting pagename using PHP_SELF - dangers?

Hi guys.

I'm thinking of using PHP_SELF to grab the name of the page the user is currently visiting. I'm well aware of the dangers of using PHP_SELF in places like form actions, though I'm not sure where it would hurt to use in hrefs? But that's beside the main question . . . anyway.

Are there any dangers in using PHP_SELF to grab the page the user is on and using str_replace() to get the info I need from it? I can't think of any, but this is, of course a great place to ask. ;)

Thanks!

+1  A: 

Yes, it can be because it is an attacker controlled variable. It can lead to vulnerabilities such as xss. 

<?php print $_SERVER['PHP_SELF']?>

http://localhost/self.php/&lt;script&gt;alert(1)&lt;/script&gt;

If possilbe you should use a variable that the attacker can't control like $_SERVER["SCRIPT_FILENAME"]. There are a couple of others, just check the phpinfo().

Rook  2010-08-18 00:10:02
Even if I stripped everything but the current pagename out? I'd be checking for the .php extension (all extensions being checked would end in .php) and stripping everything after it.
conLo  2010-08-18 00:16:11
@conLo sounds error prone. You should use a variable that the attacker can't control like `$_SERVER["SCRIPT_FILENAME"]`
Rook  2010-08-18 00:22:30
I wasn't sure which would be safest. I've read articles where the entirety of `$_SERVER` was prone to some kind of attack or another. To me, of course, it doesn't make a difference which one I use. They all lead to the same conclusion. So you can safely substitute any of the `$_SERVER` variables that would do the trick with PHP_SELF.
conLo  2010-08-18 00:26:01
@conLo I have no idea what you are referring to, It only matters how the data is being used. The majority of $_SERVER variables can be controlled by the attacker, but $_GET, $_POST $_COOKIE and $_REQUEST are always controlled by the attacker.
Rook  2010-08-18 00:28:07
That's basically what I was saying. I've come across several articles that led me to believe what you just said, that the majourity of $_SERVER can be controlled by the user in some way or another. What I was asking was whether you knew if `$_SERVER['SCRIPT_FILENAME'], $_SERVER['SCRIPT_NAME']` or any of the others I could use to get my results are any more or less prone than `$_SERVER['php_self']`. In this instance, of course.Though really, I can't see how the user could utilise any XSS when I'm dropping everything after the extension, including the extension itself.
conLo  2010-08-18 00:33:35
@conLo first and foremost users don't use xss, attackers use xss to hijack a user's session. Read more about xss before you get burned. 2nd of all i linked you to a phpinfo() where you can test it. Just do a find for /junk it will show you all of the path variables that the attacker controls. Testing is everything, don't trust some answer on SO, the vast majority of security answers are incorrect. You have to learn how to test your own system for vulnerabilities.
Rook  2010-08-18 00:54:05
I agree, as long as you are stripping everything out besides the .php file you should be fine. But if you want to be really safe I'd go with the $_SERVER["SCRIPT_FILENAME"] as an attacker cant change that and you only get the info you need--which is best practice
Fox  2010-08-18 01:01:30
Actually users do use XSS, seeing as how any user can potentially be a hacker and so all users should be viewed as hackers, and vice versa. Second of all, I already know all about XSS or I wouldn't have had the knowledge to even come up with this question to ask in the first place. Third of all, I know testing is everything - again, I wouldn't bother asking the question in the first place if I thought otherwise. I would have read Fox's answer, the link, gathered that's all the information I needed to know, wrote some weak script and been done with it. Now why the hostility?
conLo  2010-08-18 01:01:58
@Fox: Thanks for the simple answer. I was of the same opinion that any attempted attack would be stripped out. On top of that, I'm not even using it anywhere the attack could possibly be viewed/used so I doubt which variable I use even matters at all in the end.
conLo  2010-08-18 01:04:15
If anyone's curious, I ended up using `$_SERVER['SCRIPT_NAME']` since it doesn't care about path_info, exploding it into an array, reversed the array, and used `substr()` and `strpos()` to do their thing.
conLo  2010-08-18 02:02:59
+1  A: 

Well if you need the whole URL check out this tutorial. Otherwise, use $_SERVER['REQUEST_URI'] to get the URI of the current page (if the url is example.com/foo/bar.php it will give you foo/bar.php).

Fox  2010-08-18 00:11:43
I checked this page (and several others) already, but haven't been given a straight answer about it still being dangerous doing what I'm attempting with it.
conLo  2010-08-18 00:17:29

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases