On Sat, May 21, 2011 at 10:11 AM, tedd <t...@sperling.com> wrote:

> Hi gang:
>
> Okay, so,what's the "best" (i.e., most secure) way for your script to
> identify itself *IF* you plan on using that information later, such as the
> value in an action attribute in a form?
>
> For example, I was using:
>
> $self = basename($_SERVER['SCRIPT_NAME']);
>
> <form name="my_form" action="<?php echo($self); ?>" method="post" >
>
> However, that was susceptible to XSS.
>
> http://www.mc2design.com/blog/php_self-safe-alternatives
>
> says a simple action="#" would work.
>
> But is there a better way?
>
> What would do you do solve this?
>
> Cheers,
>
> tedd
>

Tedd, I'm sorry for the confusion.

When I referenced that article, I was speaking to Alex as to why it wouldn't
be prudent for you to use PHP_SELF (as he had suggested to avoid an
additional function call) as opposed to what you were currently using,
basename($_SERVER['SCRIPT_FILENAME']).

My point, and the point of the article, was that PHP_SELF requires special
precautions. However, script_filename is not susceptible to this type of
attack, as it does not include data from the user:
http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm

In fact, basename($_SERVER['SCRIPT_FILENAME']), and basename(__FILE__) were
two of the mitigation methods mentioned in the closing of the article.

<http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm>Try it out on your
server:

<h1>PHP_SELF (dangerous)</h1>
<p><?php echo $_SERVER['PHP_SELF']; ?></p>
<h1>$_SERVER['SCRIPT_FILENAME']</h1>
<p><?php echo $_SERVER['SCRIPT_FILENAME']; ?></p>
<h1>$_SERVER['REQUEST_URI'] (dangerous)</h1>
<p><?php echo $_SERVER['REQUEST_URI']; ?></p>
<h1>__FILE__</h1>
<p><?php echo __FILE__; ?></p>
<h1>basename(__FILE__)</h1>
<p><?php echo basename(__FILE__); ?></p>
<h1>basename($_SERVER['SCRIPT_NAME'])</h1>
<p><?php echo basename($_SERVER['SCRIPT_NAME']); ?></p>

Try to enter the attack vector and you'll see PHP_SELF could be terrible,
but the basename option for script_filename and __FILE__ are immune.

Again, sorry for the confusion.

Adam

-- 
Nephtali:  A simple, flexible, fast, and security-focused PHP framework
http://nephtaliproject.com

Reply via email to