On Friday 27 April 2007 15:16, Cristian Rodriguez R. wrote: > Randall R Schulz escribió: > > On Friday 27 April 2007 14:26, Cristian Rodriguez R. wrote: > >>> <form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>"> > >> > >> Sure,and then you get a free security hole. > >> > >> it should say. > >> > >> <form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; > >> ?>"> > >> > >> or in case you **really** want to use PHP_SELF > >> > >> <form method="post" action="<?php echo > >> htmlspecialchars($_SERVER['PHP_SELF']); ?>"> > > > > If that's true, then anyone could just grab the HTML, change the > > SCRIPT_NAME back to PHP_SELF, > > huh ? PHP is interpreted on the server .. they will not be able to > change what code is executed in the server.
I know PHP runs on the server. But you're talking about <form> elements in the HTML that resides in clients browsers. You can serve anything you like, but you cannot keep people from altering it and then loading the altered HTML into their browser and submitting the form-generated requests from the altered HTML to your server. In essence you're accepting fragments of PHP code from the client, which is often a security risk. It's similar to taking user-supplied text, interleaving it with fragments of SQL statement text and submitting the result as commands to your database. > ... Randall Schulz -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
