On Sat, May 21, 2011 at 3:11 PM, tedd <t...@sperling.com> wrote:

> Hi gang:
> Okay, so,what's the "best" (i.e., most secure) way for your script to
> identify itself *IF* you plan on using that information later, such as the
> value in an action attribute in a form?
> For example, I was using:
> $self = basename($_SERVER['SCRIPT_NAME']);
> <form name="my_form" action="<?php echo($self); ?>" method="post" >
> However, that was susceptible to XSS.
> http://www.mc2design.com/blog/php_self-safe-alternatives
> says a simple action="#" would work.
> But is there a better way?
> What would do you do solve this?

If you want the form to submit to the same URL that generated the form, I'd
recommend using $_SERVER['REQUEST_URI']. You can also omit the action
attribute entirely which, in my experience, will cause the browser to submit
to the current URL. I have no idea whether that's part of the HTML spec, but
that's the behaviour I've always observed.

Alternatively, by my reckoning, you could make your use of PHP_SELF safe by
applying rawurlencode to $self when you put it in the action, but that's
only after 30 seconds of thinking about it.


Stuart Dallas
3ft9 Ltd

Reply via email to