On Sat, May 21, 2011 at 10:11 AM, tedd <t...@sperling.com> wrote:

> Hi gang:
> Okay, so,what's the "best" (i.e., most secure) way for your script to
> identify itself *IF* you plan on using that information later, such as the
> value in an action attribute in a form?
> For example, I was using:
> $self = basename($_SERVER['SCRIPT_NAME']);
> <form name="my_form" action="<?php echo($self); ?>" method="post" >
> However, that was susceptible to XSS.
> http://www.mc2design.com/blog/php_self-safe-alternatives
> says a simple action="#" would work.
> But is there a better way?
> What would do you do solve this?
> Cheers,
> tedd

Tedd, I'm sorry for the confusion.

When I referenced that article, I was speaking to Alex as to why it wouldn't
be prudent for you to use PHP_SELF (as he had suggested to avoid an
additional function call) as opposed to what you were currently using,

My point, and the point of the article, was that PHP_SELF requires special
precautions. However, script_filename is not susceptible to this type of
attack, as it does not include data from the user:

In fact, basename($_SERVER['SCRIPT_FILENAME']), and basename(__FILE__) were
two of the mitigation methods mentioned in the closing of the article.

<http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm>Try it out on your

<h1>PHP_SELF (dangerous)</h1>
<p><?php echo $_SERVER['PHP_SELF']; ?></p>
<p><?php echo $_SERVER['SCRIPT_FILENAME']; ?></p>
<h1>$_SERVER['REQUEST_URI'] (dangerous)</h1>
<p><?php echo $_SERVER['REQUEST_URI']; ?></p>
<p><?php echo __FILE__; ?></p>
<p><?php echo basename(__FILE__); ?></p>
<p><?php echo basename($_SERVER['SCRIPT_NAME']); ?></p>

Try to enter the attack vector and you'll see PHP_SELF could be terrible,
but the basename option for script_filename and __FILE__ are immune.

Again, sorry for the confusion.


Nephtali:  A simple, flexible, fast, and security-focused PHP framework

Reply via email to