At 1:47 PM -0400 5/21/11, Adam Richardson wrote:
On Sat, May 21, 2011 at 10:11 AM, tedd
<<mailto:t...@sperling.com>t...@sperling.com> wrote:
Hi gang:
Okay, so,what's the "best" (i.e., most secure) way for your script
to identify itself *IF* you plan on using that information later,
such as the value in an action attribute in a form?
For example, I was using:
$self = basename($_SERVER['SCRIPT_NAME']);
<form name="my_form" action="<?php echo($self); ?>" method="post" >
However, that was susceptible to XSS.
<http://www.mc2design.com/blog/php_self-safe-alternatives>http://www.mc2design.com/blog/php_self-safe-alternatives
says a simple action="#" would work.
But is there a better way?
What would do you do solve this?
Cheers,
tedd
Tedd, I'm sorry for the confusion.
When I referenced that article, I was speaking to Alex as to why it
wouldn't be prudent for you to use PHP_SELF (as he had suggested to
avoid an additional function call) as opposed to what you were
currently using, basename($_SERVER['SCRIPT_FILENAME']).
My point, and the point of the article, was that PHP_SELF requires
special precautions. However, script_filename is not susceptible to
this type of attack, as it does not include data from the user:
<http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm>http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm
In fact, basename($_SERVER['SCRIPT_FILENAME']), and
basename(__FILE__) were two of the mitigation methods mentioned in
the closing of the article.
<http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm>Try it out on
your server:
<h1>PHP_SELF (dangerous)</h1>
<p><?php echo $_SERVER['PHP_SELF']; ?></p>
<h1>$_SERVER['SCRIPT_FILENAME']</h1>
<p><?php echo $_SERVER['SCRIPT_FILENAME']; ?></p>
<h1>$_SERVER['REQUEST_URI'] (dangerous)</h1>
<p><?php echo $_SERVER['REQUEST_URI']; ?></p>
<h1>__FILE__</h1>
<p><?php echo __FILE__; ?></p>
<h1>basename(__FILE__)</h1>
<p><?php echo basename(__FILE__); ?></p>
<h1>basename($_SERVER['SCRIPT_NAME'])</h1>
<p><?php echo basename($_SERVER['SCRIPT_NAME']); ?></p>
Try to enter the attack vector and you'll see PHP_SELF could be
terrible, but the basename option for script_filename and __FILE__
are immune.
Again, sorry for the confusion.
Adam
Adam:
Very interesting.
As I understand things, to remove a XSS threat from the method, you
have to get the script name from something other than a SuperGlobal
because SuperGlobals are subject to XXS attacks, right?
As such, using a predefined constant should be safe. I don't know
how, nor where, PHP gets the value, but I'm assuming it's not from
something that can be altered by someone outside the server.
So, is that the reason why you say that using __FILE__ is better at
getting the running script's name than using $_SERVER['PHP_SELF']?
Cheers,
tedd
--
-------
http://sperling.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
