Hi Robert,
Rather than hardcoding the variable $_SERVER['SERVER_NAME'] everywhere, we
can take advantage of the variable $PHP_SELF being globally declared in
AdoDB - just one place! If you are very sure of the consequences of
$_SERVER['PHP_SELF'], then all we need to do is to re-assign the variable
$PHP_SELF in one place!
The value of some unicode characters have got mangled during your change in
line 10 of file:
modules/news/includes/inc_newstitle_clean.php
Regards,
Ap.Muthu
apmu...@usa.net
> Hi Robert,
>
> Please check the need to replace $PHP_SELF and revert it if needed.
> The said variable is a clean value of $_SERVER['PHP_SELF'] and in some
> instances made as $thisfle.
> It is globally declared in AdoDB:
> classes/adodb/adodb-pager.inc.php (lines 60/63)
> classes/adodb/adodb-perf.inc.php (line 919)
> and in
> classes/calendar_jl/class.calendar.php (line 62)
>
> There were a total of 44 files referring to $PHP_SELF prior to your
> updates.
>
> Regards,
> Ap.Muthu
> apmu...@usa.net
>
>
>> Hi,
>>
>> Belongs on committed revisions 6704, 6705 and 6706:
>>
>> Just checked some debug information and found that:
>>
>> /*------begin------ This protection code was suggested by Luki R.
>> l...@karet.org ---- */
>> if (stristr('inc_date_format_functions.php',$PHP_SELF))
>> die('<meta http-equiv="refresh" content="0; url=../">');
>> /*------end------*/
>>
>> Why do I think it is so evil? Well, first I got here an warning:
>> Notice: Undefined variable: PHP_SELF [...]
>>
>> Beside of the syntax error used here, $_SERVER['PHP_SELF'] is not that
>> better. $PHP_SELF seems to me like an strange mix up, not sure. Maybe
>> there was a reason for it, but I do not see it. I am not that perfect,
>> maybe someone more smarter than me can explain it to me ;-)
>>
>> But then I tested around and it is ..interesting:
>>
>> file: test.php
>> contains:
>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method ="post">
>>
>> Now.. what do you think will happen when I call that script with:
>> http://localhost/test.php/";></form>itchy script:
>> <script>alert('gotcha');</script><form action="./test.php
>>
>> Huhhh... not good. So I made a workaround with
>> $_SERVER['SCRIPT_NAME']
>>
>> Robert
>>
>> p.s. who is Luki R. l...@karet.org ??
>
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Care2002-developers mailing list
Care2002-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/care2002-developers
