On Tue, Jan 13, 2009 at 1:32 PM, Jason Pruim <japr...@raoset.com> wrote: > > On Jan 13, 2009, at 1:29 PM, Eric Butera wrote: > > On Tue, Jan 13, 2009 at 1:14 PM, Jason Pruim <japr...@raoset.com> wrote: > > On Jan 13, 2009, at 9:46 AM, Ashley Sheridan wrote: > > On Tue, 2009-01-13 at 09:33 -0500, tedd wrote: > > At 2:33 PM +0000 1/13/09, Ashley Sheridan wrote: > > On Tue, 2009-01-13 at 09:20 -0500, tedd wrote: > > Jason: > In addition to what everyone else has said, try this: > $self = basename($_SERVER['SCRIPT_NAME']) > I use it for forms -- you might find it useful. > Cheers, > tedd > -- > ------- > http://sperling.com http://ancientstones.com http://earthstones.com > > No need to use it on forms, as leaving the action attribute empty means > the form sends to itself anyway. > Ash > > Ash: > That's what I've said for years, but (I think it was on this list, > but too lazy to look) there was a concern that some browsers may not > follow that default behavior. > However, using what I provided will work regardless. > Cheers, > tedd > -- > ------- > http://sperling.com http://ancientstones.com http://earthstones.com > > I've not yet seen a browser that doesn't do this, and it's pretty old > HTML really, so I don't see a reason why any new browsers wouldn't > incorporate it. > > I prefer to be specific in my programming :) > What I typically do with self submitting forms is: > <?PHP > $self = $_SERVER['PHP_SELF']; > > echo <<<HTML > <form method="post" action="{$self}"> > ... > </form> > HTML; > ?> > But to each his (Or her) own right? > > -- > Jason Pruim > japr...@raoset.com > 616.399.2355 > > > > > You know that's asking for xss, right? > > Not until just now.... But I'll be looking into that and changing it to > something more secure very shortly. > -- > Jason Pruim > japr...@raoset.com > 616.399.2355 > > >
This might help: http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
