On 21 May 2011 16:18, Stuart Dallas <stu...@3ft9.com> wrote: > On Sat, May 21, 2011 at 3:11 PM, tedd <t...@sperling.com> wrote: > >> Hi gang: >> >> Okay, so,what's the "best" (i.e., most secure) way for your script to >> identify itself *IF* you plan on using that information later, such as the >> value in an action attribute in a form? >> >> For example, I was using: >> >> $self = basename($_SERVER['SCRIPT_NAME']); >> >> <form name="my_form" action="<?php echo($self); ?>" method="post" > >> >> However, that was susceptible to XSS. >> >> http://www.mc2design.com/blog/php_self-safe-alternatives >> >> says a simple action="#" would work. >> >> But is there a better way? >> >> What would do you do solve this? >> > > If you want the form to submit to the same URL that generated the form, I'd > recommend using $_SERVER['REQUEST_URI']. You can also omit the action > attribute entirely which, in my experience, will cause the browser to submit > to the current URL. I have no idea whether that's part of the HTML spec, but > that's the behaviour I've always observed.
REQUEST_URI is as susceptible to XSS as the others. Omitting url entirely (in case of posting a form, say) works in most browsers but is known to fail in others (atm I can't recall which but Google should know). Both '?' and '#' will generally work, but are prone to problems with the base element. > Alternatively, by my reckoning, you could make your use of PHP_SELF safe by > applying rawurlencode to $self when you put it in the action, but that's > only after 30 seconds of thinking about it. rawurlencode encodes forward slashes (and many other things). Not what you're looking for. Apart from that, there is no single solution to the issue: if you're doing url rewrites, then you could use your route-to-url function instead of relying on any server variables. If your script is called directly instead, then use the part of the request uri up till and including the match for __FILE__. Regards Peter -- <hype> WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15 </hype> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php