ansaurus

Question

Have I covered all bases with security when echo'ing a server variable to the page?

Answer 1

+2 A:

Have a form submit to itself by sending it to this:

$_SERVER["PHP_SELF"]

That global variable will output the current page. Unless there's a reason you need the entire query string along with it?

EDIT

Since as pointed out by VolkerK in the comments, even PHP_SELF is vulnerable, you can write your own little variable based off the PHP_SELF and explode out the rest of the URI that you know is not part of your page. Something like this:

$file_ext = '.php'; //knowing what file extension your URI is
$page_on = $_SERVER["PHP_SELF"]; //grab this page, with all that junk
$page_huh = explode($file_ext, $page_on); //blow it apart based on file ext
$page_on = $page_huh[0].$file_ext; //attach the leg back onto the URI

echo $page_on;

random 2009-03-05 05:50:00

Possibly could, I wonder if it'll still work with my rewritten URIs.

alex 2009-03-05 06:08:36

$_SERVER['PHP_SELF'] itselft is no protection against xss as it may contain things other then the script's path and my be manipulated by users, see http://seancoates.com/xss-woes

VolkerK 2009-03-05 06:10:31

@VolkerK - Ah, good call on that.

random 2009-03-05 06:12:45

...even though my word/typo ratio is bad - it's 7am here and I just crawled out of bed ;)

VolkerK 2009-03-05 06:18:56

@VolkerK: Wow... good tip. I had no idea that exploit existed.

Andrew 2009-03-05 06:24:42

Answer 2

A:

If your striptags() strips only tags (characters between "<" and ">" including the angle brackets), someone can still inject javascript:

http://www.mysite.com/page-with-form.php?bla=" onsubmit="return function(){ /*nasty code here*/ }()" style="

Better whitelist every possible meta-characters in HTML, Javascript and CSS (i.e. angle brackets, parenthesis, braces, semi-colons, double quote, single quote, etc).

maxyfc 2009-03-05 05:56:25

Answer 3

+5 A:

Use htmlspecialchars instead of strip_tags.

Gumbo 2009-03-05 06:12:41

Will that encode any ?, /, = ? I'll need to look into it, thanks.

alex 2009-03-05 06:27:23

Gumbo 2009-03-05 06:33:17

Sounds like this might be my easiest solution, thanks Gumbo!

alex 2009-03-05 06:35:55

Answer 4

+2 A:

If you want to reference the same schema/host/path a simple action="?" schould suffice. According to http://tools.ietf.org/html/rfc3986#section-4.2

relative-ref  = relative-part [ "?" query ] [ "#" fragment ]

      relative-part = "//" authority path-abempty
                    / path-absolute
                    / path-noscheme
                    / path-empty

it's a valid relative uri.

VolkerK 2009-03-05 06:17:11

+1 - Nice 1 character solution. Code golf much?

random 2009-03-05 06:32:16

Is this reliable in all browsers? Pretty cool if it is :) Thanks for your answer.

alex 2009-03-05 06:36:42

"Is this reliable in all browsers?" Haven't tested extensively. IE, Firefox, Opera and links acept it. And I don't see why another browser shouldn't. Even action="" should be valid (is it really?). I would just put the ? in there to avoid "hey, you missed filling in the url" ;-)

VolkerK 2009-03-05 12:07:55

@VolkerK I've seen another question in here reguarding a blank action, it seemed like a question mark is the best way to go.

alex 2009-03-05 23:35:12

Answer 5

A:

If you want a form to submit to itself, just leave the action empty e.g.

<form action="" method="POST">
...
</form>

2009-03-10 03:59:02

I don't think that validates but. And it has problems in Webkit browsers IIRC.

alex 2009-03-10 04:47:28

It definitely has some problems on some versions of IIS, if combined with a <input type="file", IIRC...

Jrgns 2009-09-03 06:29:52

ansaurus

tags:

views:

answers:

Have I covered all bases with security when echo'ing a server variable to the page?

related questions