On 21 May 2011 16:18, Stuart Dallas <stu...@3ft9.com> wrote:
> On Sat, May 21, 2011 at 3:11 PM, tedd <t...@sperling.com> wrote:
>> Hi gang:
>> Okay, so,what's the "best" (i.e., most secure) way for your script to
>> identify itself *IF* you plan on using that information later, such as the
>> value in an action attribute in a form?
>> For example, I was using:
>> $self = basename($_SERVER['SCRIPT_NAME']);
>> <form name="my_form" action="<?php echo($self); ?>" method="post" >
>> However, that was susceptible to XSS.
>> http://www.mc2design.com/blog/php_self-safe-alternatives
>> says a simple action="#" would work.
>> But is there a better way?
>> What would do you do solve this?
> If you want the form to submit to the same URL that generated the form, I'd
> recommend using $_SERVER['REQUEST_URI']. You can also omit the action
> attribute entirely which, in my experience, will cause the browser to submit
> to the current URL. I have no idea whether that's part of the HTML spec, but
> that's the behaviour I've always observed.

REQUEST_URI is as susceptible to XSS as the others. Omitting url
entirely (in case of posting a form, say) works in most browsers but
is known to fail in others (atm I can't recall which but Google should
know). Both '?' and '#' will generally work, but are prone to problems
with the base element.

> Alternatively, by my reckoning, you could make your use of PHP_SELF safe by
> applying rawurlencode to $self when you put it in the action, but that's
> only after 30 seconds of thinking about it.

rawurlencode encodes forward slashes (and many other things). Not what
you're looking for.

Apart from that, there is no single solution to the issue: if you're
doing url rewrites, then you could use your route-to-url function
instead of relying on any server variables. If your script is called
directly instead, then use the part of the request uri up till and
including the match for __FILE__.


WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to