At 1:47 PM -0400 5/21/11, Adam Richardson wrote:
On Sat, May 21, 2011 at 10:11 AM, tedd <<mailto:t...@sperling.com>t...@sperling.com> wrote:


Hi gang:

Okay, so,what's the "best" (i.e., most secure) way for your script to identify itself *IF* you plan on using that information later, such as the value in an action attribute in a form?

For example, I was using:

$self = basename($_SERVER['SCRIPT_NAME']);

<form name="my_form" action="<?php echo($self); ?>" method="post" >

However, that was susceptible to XSS.

<http://www.mc2design.com/blog/php_self-safe-alternatives>http://www.mc2design.com/blog/php_self-safe-alternatives

says a simple action="#" would work.

But is there a better way?

What would do you do solve this?

Cheers,

tedd


Tedd, I'm sorry for the confusion.

When I referenced that article, I was speaking to Alex as to why it wouldn't be prudent for you to use PHP_SELF (as he had suggested to avoid an additional function call) as opposed to what you were currently using, basename($_SERVER['SCRIPT_FILENAME']).

My point, and the point of the article, was that PHP_SELF requires special precautions. However, script_filename is not susceptible to this type of attack, as it does not include data from the user:
<http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm>http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm

In fact, basename($_SERVER['SCRIPT_FILENAME']), and basename(__FILE__) were two of the mitigation methods mentioned in the closing of the article.

<http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm>Try it out on your server:

<h1>PHP_SELF (dangerous)</h1>
<p><?php echo $_SERVER['PHP_SELF']; ?></p>
<h1>$_SERVER['SCRIPT_FILENAME']</h1>
<p><?php echo $_SERVER['SCRIPT_FILENAME']; ?></p>
<h1>$_SERVER['REQUEST_URI'] (dangerous)</h1>
<p><?php echo $_SERVER['REQUEST_URI']; ?></p>
<h1>__FILE__</h1>
<p><?php echo __FILE__; ?></p>
<h1>basename(__FILE__)</h1>
<p><?php echo basename(__FILE__); ?></p>
<h1>basename($_SERVER['SCRIPT_NAME'])</h1>
<p><?php echo basename($_SERVER['SCRIPT_NAME']); ?></p>

Try to enter the attack vector and you'll see PHP_SELF could be terrible, but the basename option for script_filename and __FILE__ are immune.

Again, sorry for the confusion.

Adam

Adam:

Very interesting.

As I understand things, to remove a XSS threat from the method, you have to get the script name from something other than a SuperGlobal because SuperGlobals are subject to XXS attacks, right?

As such, using a predefined constant should be safe. I don't know how, nor where, PHP gets the value, but I'm assuming it's not from something that can be altered by someone outside the server.

So, is that the reason why you say that using __FILE__ is better at getting the running script's name than using $_SERVER['PHP_SELF']?

Cheers,

tedd


--
-------
http://sperling.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to