On Sat, May 21, 2011 at 10:11 AM, tedd <t...@sperling.com> wrote: > Hi gang: > > Okay, so,what's the "best" (i.e., most secure) way for your script to > identify itself *IF* you plan on using that information later, such as the > value in an action attribute in a form? > > For example, I was using: > > $self = basename($_SERVER['SCRIPT_NAME']); > > <form name="my_form" action="<?php echo($self); ?>" method="post" > > > However, that was susceptible to XSS. > > http://www.mc2design.com/blog/php_self-safe-alternatives > > says a simple action="#" would work. > > But is there a better way? > > What would do you do solve this? > > Cheers, > > tedd >
Tedd, I'm sorry for the confusion. When I referenced that article, I was speaking to Alex as to why it wouldn't be prudent for you to use PHP_SELF (as he had suggested to avoid an additional function call) as opposed to what you were currently using, basename($_SERVER['SCRIPT_FILENAME']). My point, and the point of the article, was that PHP_SELF requires special precautions. However, script_filename is not susceptible to this type of attack, as it does not include data from the user: http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm In fact, basename($_SERVER['SCRIPT_FILENAME']), and basename(__FILE__) were two of the mitigation methods mentioned in the closing of the article. <http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm>Try it out on your server: <h1>PHP_SELF (dangerous)</h1> <p><?php echo $_SERVER['PHP_SELF']; ?></p> <h1>$_SERVER['SCRIPT_FILENAME']</h1> <p><?php echo $_SERVER['SCRIPT_FILENAME']; ?></p> <h1>$_SERVER['REQUEST_URI'] (dangerous)</h1> <p><?php echo $_SERVER['REQUEST_URI']; ?></p> <h1>__FILE__</h1> <p><?php echo __FILE__; ?></p> <h1>basename(__FILE__)</h1> <p><?php echo basename(__FILE__); ?></p> <h1>basename($_SERVER['SCRIPT_NAME'])</h1> <p><?php echo basename($_SERVER['SCRIPT_NAME']); ?></p> Try to enter the attack vector and you'll see PHP_SELF could be terrible, but the basename option for script_filename and __FILE__ are immune. Again, sorry for the confusion. Adam -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com
