ansaurus

Question

PHP - Self form submission: $_SERVER['PHP_SELF'] OR action="" ?

Answer 1

A:

If I'm not mistaken Safari had/has problems with the latter, therefore I dropped using it.

nikic 2010-09-01 16:54:58

@nikic - Thanks a lot.@All - Can anyone else confirm if the above still applies? Or if it's a common case... I need more evidence to decide upon either to use it or not. :D

MEM 2010-09-01 16:57:55

Answer 2

A:

You can use either (PHP_SELF or empty string). but why would you use FILTER_SANITIZE_STRING for this? You'd better to use htmlentities() instead of filter_var in this case, if your path contains filtered characters (e.g. <), the form won't submit.

I prefer giving a string, <base href=> can cause trouble when using empty values. Example:

<form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="post">
</form>

Lekensteyn 2010-09-01 16:55:19

Why one instead of another, can you please elaborate? Thanks a lot.

MEM 2010-09-01 16:56:07

Characters like '<' in pathnames will be filtered, the resource won't be accessible.

Lekensteyn 2010-09-01 17:00:47

Answer 3

A:

Please do not use PHP_SELF, because this can also be /index.php/"><script>alert(1)</script>/.

It's often used for XSS Attacks.

Use the index SCRIPT_NAME instead! SCRIPT_NAME will always point to the actual PHP file and not to the user-input.

Regards

Edit:

Two people point out, that SCRIPT_NAME would not work when using mod_rewrite. This is false and I think these people should read before they vote answers down.

Here's a test scenario for you *:

$ cat .htaccess 
RewriteEngine On
RewriteRule testme/ /testmenot.php

$ cat testmenot.php 
<? echo $_SERVER['SCRIPT_NAME']; ?>

$ GET hostname/testme/
/testmenot.php

$_SERVER['REQUEST_URI'] is holding "/testme/", which i guess these people would have expected in SCRIPT_NAME. But that can also not be found in PHP_SELF.

/me crosses fingers
:E

Jan. 2010-09-01 16:56:12

-1, SCRIPT_NAME won't work for rewrited URL's. PHP_SELF can be used if you're checking it well.

Lekensteyn 2010-09-01 16:59:11

@Jan: doesn't the filter_var or htmlentities deal with that?

MEM 2010-09-01 16:59:19

`$_SERVER['SCRIPT_NAME']` does not work with rewritten URL:s. The XSS is not an issue if the receiving page redirects after parsing the request.

chelmertz 2010-09-01 17:00:06

@Lekenstyn.. thanks for -1 but you're wrong: SCRIPT_NAME does actually work with rewritten URLs... it'll always point to the .php file and *not* to the given rewrite. When you want the QUERY_STRING you'll neither use SCRIPT_NAME nor PHP_SELF.

Jan. 2010-09-01 17:04:58

Jan, I've cases where resources are only accessible with the rewrited URL; requesting the file directly results gives a 404 page, without processing the request further. For various reasons, it's not prefferable to display the real file path directly.

Lekensteyn 2010-09-01 17:13:38

@lekensteyn, that has nothing to do with you making false statements on a correct answer. It's merley an opinion regarding a project of yourself. But thanks for letting us know.

Jan. 2010-09-01 17:17:29

Wrikken 2010-09-01 21:29:10

You're correct in the way that most projects use a rewrite-name and it's then totally unwanted to use either PHP_SELF or SCRIPT_NAME. But that's still not the point here. On the other hand just using htmlentities may be enough from the security aspect, but it makes no sense to use anything random that a client sends as the target href of a form. This breaks unique content strategies and is not what one wants.

Jan. 2010-09-02 16:00:27

ansaurus

tags:

views:

answers:

PHP - Self form submission: $_SERVER['PHP_SELF'] OR action="" ?

related questions