$_server['php_self']

Discussion in 'PHP' started by encom, Oct 14, 2009.

0
  1. #1
    $_SERVER['PHP_SELF']

    Where should this be used?

    I have heard that this can cause security issues....

    I have tried searching, but it is abit hit and miss on where it should be used.

    It would be greate if someone could clear this up for me.... thanks.
     
    encom, Oct 14, 2009 IP
  2. JAY6390

    JAY6390 Peon

    Messages:
    918
    Likes Received:
    31
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Some people use it in a forms action parameter, but you should NOT use it as it isn't required or safe
     
    JAY6390, Oct 14, 2009 IP
  3. organicCyborg

    organicCyborg Peon

    Messages:
    330
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #3
    As Jay said, it's mostly used in form actions.

    Instead of saying <form action="staticFileName.php"> you can just say <form action="<? echo $_SERVER['PHP_SELF']; ?>">

    The problem with doing this is that PHP_SELF will print out all elements sent to the current URL.

    If the user went to the URL "phpFormProcessor.php/badXSScodeHere" instead of just "phpFormProcessor.php", they could pass HTML or JS code to your page.

    You can still use PHP_SELF though, just use basename() to sanitize the data.
     
    organicCyborg, Oct 14, 2009 IP
  4. encom

    encom Member

    Messages:
    58
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    41
    #4
    hmmm, ok thanks...

    if my page was: mypage.php?id=6&c=2

    could I make a safe php_self by using basename() or something similer...
     
    encom, Oct 14, 2009 IP
  5. superdav42

    superdav42 Active Member

    Messages:
    125
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    58
    #5
    basename will work in this context I believe and it would be safe.
     
    superdav42, Oct 14, 2009 IP