Re: [PHP] differences in between these env. variables
On Jan 29, 2012, at 7:01 PM, Adam Richardson wrote: On Sun, Jan 29, 2012 at 11:38 AM, Tedd Sperling tedd.sperl...@gmail.com wrote: On Jan 27, 2012, at 12:45 PM, Adam Richardson wrote: On Fri, Jan 27, 2012 at 12:09 PM, Tedd Sperling tedd.sperl...@gmail.com wrote: On Jan 11, 2012, at 9:24 PM, tamouse mailing lists wrote: Is there ever a case where SCRIPT_NAME does not equal PHP_SELF? Was this every answered? I would like to know. Cheers, tedd Yep, can be different: http://stackoverflow.com/questions/279966/php-self-vs-path-info-vs-script-name-vs-request-uri Adam I should have been more clear -- I understand: [PHP_SELF] = /test.php/foo/bar [SCRIPT_NAME] = /test.php/ by practice is different. I should have used basename() in my question. The main point I was trying to get was which one is more secure and not subject to cross-site scripting or other such security issues? IOW, if you had to bet your life on it, which would be most secure in reporting an accurate basename()? That's an interesting question. Because $_SERVER['SCRIPT_NAME'] doesn't include path info appended to the get request, it greatly limits the attack surface, so I try to use it when I can. However, there are times when you want the ability to pass in additional path info (e.g., pretty urls), and that makes $_SERVER['PHP_SELF'] quite useful. In terms of securely using $_SERVER['PHP_SELF'], the one thing I don't ever recommend is trying to sanitize input (this view is in stark contrast to some of the resources online that detail how to safely use $_SERVER['PHP_SELF'] through a combination of techniques including sanitization.) I suggest that any time script receives that doesn't meet its expectations, the script should throw away the data and kindly communicate to the user that they'll have to try the request again with valid data. To use $_SERVER['PHP_SELF'] safely, the most important thing is context. In order for an XSS attack to succeed, it has to sneak in data that is structurally meaningful in the context of its use. If the web page outputs $_SERVER['PHP_SELF'] in an href such as the one below, then a double quote (or any of its possible encodings which buggily sneak through older browsers, but modern browsers seem to have corrected many of these issues) must be escaped: // if a double quote comes through PHP_SELF here and is not escaped, we're in trouble // https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes a href=?php echo $_SERVER['PHP_SELF']; ?Link back to this page/a So, in the above case, I would first filter the PHP_SELF value through a regex that establishes a whitelist of valid values and/or characters (if you know all the possible paths of your app ahead of time, make sure there's a match; if you know that the path info only includes letters a-z, make sure there are they are the only characters you allow; etc.), and then for valid input, escape the output using htmlspeciachars(). NOTE: Developers who fail don't use quotes on attributes would have to be much more careful and escape several other characters in the above example. That all said, if PHP_SELF was being echoed out into a script tag, the above technique would be insufficient to protect against XSS, as the content of the script tag has many more structurally meaningful characters that have to be watched for and escaped. So, it really varies by the context of use. I'd use SCRIPT_NAME where I don't need the path info (but I'd still likely whitelist it's possible values and escape it's output.) And, if I needed the path info, I'd whitelist the possible PHP_SELF values and then escape the output according to the context. That all said, if my life depended on security of the app, I'd probably be very slow to put up any web pages, as the amount of testing and auditing I'd want to perform would be on the scale of years ;) Adam Adam: Thank you for your most thoughtful answer -- it was very informative. I won't be using echo $_SERVER['PHP_SELF']; for any forms or links. Cheers, tedd. _ t...@sperling.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] differences in between these env. variables
On Jan 27, 2012, at 12:45 PM, Adam Richardson wrote: On Fri, Jan 27, 2012 at 12:09 PM, Tedd Sperling tedd.sperl...@gmail.com wrote: On Jan 11, 2012, at 9:24 PM, tamouse mailing lists wrote: Is there ever a case where SCRIPT_NAME does not equal PHP_SELF? Was this every answered? I would like to know. Cheers, tedd Yep, can be different: http://stackoverflow.com/questions/279966/php-self-vs-path-info-vs-script-name-vs-request-uri Adam I should have been more clear -- I understand: [PHP_SELF] = /test.php/foo/bar [SCRIPT_NAME] = /test.php/ by practice is different. I should have used basename() in my question. The main point I was trying to get was which one is more secure and not subject to cross-site scripting or other such security issues? IOW, if you had to bet your life on it, which would be most secure in reporting an accurate basename()? Cheers, tedd _ t...@sperling.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] differences in between these env. variables
On Sun, Jan 29, 2012 at 5:38 PM, Tedd Sperling tedd.sperl...@gmail.com wrote: On Jan 27, 2012, at 12:45 PM, Adam Richardson wrote: On Fri, Jan 27, 2012 at 12:09 PM, Tedd Sperling tedd.sperl...@gmail.com wrote: On Jan 11, 2012, at 9:24 PM, tamouse mailing lists wrote: Is there ever a case where SCRIPT_NAME does not equal PHP_SELF? Was this every answered? I would like to know. Cheers, tedd Yep, can be different: http://stackoverflow.com/questions/279966/php-self-vs-path-info-vs-script-name-vs-request-uri Adam I should have been more clear -- I understand: [PHP_SELF] = /test.php/foo/bar [SCRIPT_NAME] = /test.php/ by practice is different. I should have used basename() in my question. The main point I was trying to get was which one is more secure and not subject to cross-site scripting or other such security issues? IOW, if you had to bet your life on it, which would be most secure in reporting an accurate basename()? Cheers, tedd I don't think basename() makes much sense here, does it? basename($_SERVER['PHP_SELF']) would give bar on your first example. To answer your question about XSS or other security issues, it all depends on how you use the info afterwards. - Matijn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] differences in between these env. variables
On Sun, Jan 29, 2012 at 11:38 AM, Tedd Sperling tedd.sperl...@gmail.comwrote: On Jan 27, 2012, at 12:45 PM, Adam Richardson wrote: On Fri, Jan 27, 2012 at 12:09 PM, Tedd Sperling tedd.sperl...@gmail.com wrote: On Jan 11, 2012, at 9:24 PM, tamouse mailing lists wrote: Is there ever a case where SCRIPT_NAME does not equal PHP_SELF? Was this every answered? I would like to know. Cheers, tedd Yep, can be different: http://stackoverflow.com/questions/279966/php-self-vs-path-info-vs-script-name-vs-request-uri Adam I should have been more clear -- I understand: [PHP_SELF] = /test.php/foo/bar [SCRIPT_NAME] = /test.php/ by practice is different. I should have used basename() in my question. The main point I was trying to get was which one is more secure and not subject to cross-site scripting or other such security issues? IOW, if you had to bet your life on it, which would be most secure in reporting an accurate basename()? That's an interesting question. Because $_SERVER['SCRIPT_NAME'] doesn't include path info appended to the get request, it greatly limits the attack surface, so I try to use it when I can. However, there are times when you want the ability to pass in additional path info (e.g., pretty urls), and that makes $_SERVER['PHP_SELF'] quite useful. In terms of securely using $_SERVER['PHP_SELF'], the one thing I don't ever recommend is trying to sanitize input (this view is in stark contrast to some of the resources online that detail how to safely use $_SERVER['PHP_SELF'] through a combination of techniques including sanitization.) I suggest that any time script receives that doesn't meet its expectations, the script should throw away the data and kindly communicate to the user that they'll have to try the request again with valid data. To use $_SERVER['PHP_SELF'] safely, the most important thing is context. In order for an XSS attack to succeed, it has to sneak in data that is structurally meaningful in the context of its use. If the web page outputs $_SERVER['PHP_SELF'] in an href such as the one below, then a double quote (or any of its possible encodings which buggily sneak through older browsers, but modern browsers seem to have corrected many of these issues) must be escaped: // if a double quote comes through PHP_SELF here and is not escaped, we're in trouble // https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes a href=?php echo $_SERVER['PHP_SELF']; ?Link back to this page/a So, in the above case, I would first filter the PHP_SELF value through a regex that establishes a whitelist of valid values and/or characters (if you know all the possible paths of your app ahead of time, make sure there's a match; if you know that the path info only includes letters a-z, make sure there are they are the only characters you allow; etc.), and then for valid input, escape the output using htmlspeciachars(). NOTE: Developers who fail don't use quotes on attributes would have to be much more careful and escape several other characters in the above example. That all said, if PHP_SELF was being echoed out into a script tag, the above technique would be insufficient to protect against XSS, as the content of the script tag has many more structurally meaningful characters that have to be watched for and escaped. So, it really varies by the context of use. I'd use SCRIPT_NAME where I don't need the path info (but I'd still likely whitelist it's possible values and escape it's output.) And, if I needed the path info, I'd whitelist the possible PHP_SELF values and then escape the output according to the context. That all said, if my life depended on security of the app, I'd probably be very slow to put up any web pages, as the amount of testing and auditing I'd want to perform would be on the scale of years ;) Adam -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com
Re: [PHP] differences in between these env. variables
On Jan 11, 2012, at 9:24 PM, tamouse mailing lists wrote: Is there ever a case where SCRIPT_NAME does not equal PHP_SELF? Was this every answered? I would like to know. Cheers, tedd _ t...@sperling.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] differences in between these env. variables
On Fri, Jan 27, 2012 at 6:09 PM, Tedd Sperling tedd.sperl...@gmail.com wrote: On Jan 11, 2012, at 9:24 PM, tamouse mailing lists wrote: Is there ever a case where SCRIPT_NAME does not equal PHP_SELF? Was this every answered? I would like to know. Cheers, tedd I don't think it was answered, but I'll answer now. Yes, there is a difference. At [1] you'll find a script that prints both SCRIPT_NAME and PHP_SELF. For most of the time, the output will be the same. But now, try the url at [2], and you'll see that it returns /dev/test/envvars.php for SCRIPT_NAME, and /dev/test/envvars.php/a/b/c for PHP_SELF. I hope this clears things up a bit. - Matijn [1] http://tijnema.myftp.org/dev/test/envvars.php [2] http://tijnema.myftp.org/dev/test/envvars.php/a/b/c -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] differences in between these env. variables
-Original Message- From: Tedd Sperling [mailto:tedd.sperl...@gmail.com] Sent: Friday, January 27, 2012 12:09 PM To: php-general. List Subject: Re: [PHP] differences in between these env. variables On Jan 11, 2012, at 9:24 PM, tamouse mailing lists wrote: Is there ever a case where SCRIPT_NAME does not equal PHP_SELF? Was this every answered? I would like to know. Cheers, tedd _ t...@sperling.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Ted I show on the 11 Jan there was 2 answers. I'll extend your example. We now have a RewriteRule in apache like this: RewriteRule ^files/?$ /directory/file.php [L,QSA] Which will rewrite /files/... -- /directory/file.php REQUEST_URI now contains how it was called by the browser, '/files/something.php' SCRIPT_NAME returns path to script (/directory/file.php), set by the SAPI (apache, ..). PHP_SELF returns also the path to script (/directory/file.php), but set by PHP self. I don't have any ORIG_PATH_INFO on my Ubuntu box, so be careful about this one. Recommended: Depends on which you need. I prefer PHP_SELF over SCRIPT_NAME, but that's more personal choice. Matijn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] differences in between these env. variables
On Fri, Jan 27, 2012 at 12:09 PM, Tedd Sperling tedd.sperl...@gmail.comwrote: On Jan 11, 2012, at 9:24 PM, tamouse mailing lists wrote: Is there ever a case where SCRIPT_NAME does not equal PHP_SELF? Was this every answered? I would like to know. Cheers, tedd Yep, can be different: http://stackoverflow.com/questions/279966/php-self-vs-path-info-vs-script-name-vs-request-uri Adam -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com
[PHP] differences in between these env. variables
I've grouped these env variables, each group returns the same values is there a difference? which ones do you use? which ones should I not use for the purposes listed below group1 SCRIPT_FILENAME vs PATH_TRANSLATED where both return D:\Hosting\5291100\html\directory\file.php purpose: get the full file path to the php script group2 REMOTE_ADDR vs REMOTE_HOST where both return same IP purpose: get the visitor's ip group3 REQUEST_URI vs SCRIPT_NAME vs URL vs ORIG_PATH_INFO vs PHP_SELF which all return /directory/file.php purpose: get the virtual url to the php script -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] differences in between these env. variables
On Thu, Jan 12, 2012 at 12:26 AM, Haluk Karamete halukkaram...@gmail.com wrote: I've grouped these env variables, each group returns the same values is there a difference? which ones do you use? which ones should I not use for the purposes listed below You can find the answers here: http://nl3.php.net/manual/en/reserved.variables.server.php I'll try to answer them in short group1 SCRIPT_FILENAME vs PATH_TRANSLATED where both return D:\Hosting\5291100\html\directory\file.php purpose: get the full file path to the php script SCRIPT_FILENAME can be a relative path, PATH_TRANSLATED is the full path. This is only true if run from CLI. On my Ubuntu box I don't even have PATH_TRANSLATED, so SCRIPT_FILENAME is recommended. group2 REMOTE_ADDR vs REMOTE_HOST where both return same IP purpose: get the visitor's ip REMOTE_HOST is not necessary always IP, if PHP succeeds to do a reverse lookup (ie. get name for this ip), than REMOTE_HOST contains a name instead of ip. You need to set a config option for this, though. Recommended: REMOTE_ADDR, it matches what you need, doesn't need config, and REMOTE_HOST doesn't even work for all hosts. group3 REQUEST_URI vs SCRIPT_NAME vs URL vs ORIG_PATH_INFO vs PHP_SELF which all return /directory/file.php purpose: get the virtual url to the php script I'll extend your example. We now have a RewriteRule in apache like this: RewriteRule ^files/?$ /directory/file.php [L,QSA] Which will rewrite /files/... -- /directory/file.php REQUEST_URI now contains how it was called by the browser, '/files/something.php' SCRIPT_NAME returns path to script (/directory/file.php), set by the SAPI (apache, ..). PHP_SELF returns also the path to script (/directory/file.php), but set by PHP self. I don't have any ORIG_PATH_INFO on my Ubuntu box, so be careful about this one. Recommended: Depends on which you need. I prefer PHP_SELF over SCRIPT_NAME, but that's more personal choice. Matijn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] differences in between these env. variables
On Wed, Jan 11, 2012 at 5:49 PM, Matijn Woudt tijn...@gmail.com wrote: On Thu, Jan 12, 2012 at 12:26 AM, Haluk Karamete halukkaram...@gmail.com wrote: I've grouped these env variables, each group returns the same values is there a difference? which ones do you use? which ones should I not use for the purposes listed below You can find the answers here: http://nl3.php.net/manual/en/reserved.variables.server.php I'll try to answer them in short group1 SCRIPT_FILENAME vs PATH_TRANSLATED where both return D:\Hosting\5291100\html\directory\file.php purpose: get the full file path to the php script SCRIPT_FILENAME can be a relative path, PATH_TRANSLATED is the full path. This is only true if run from CLI. On my Ubuntu box I don't even have PATH_TRANSLATED, so SCRIPT_FILENAME is recommended. group2 REMOTE_ADDR vs REMOTE_HOST where both return same IP purpose: get the visitor's ip REMOTE_HOST is not necessary always IP, if PHP succeeds to do a reverse lookup (ie. get name for this ip), than REMOTE_HOST contains a name instead of ip. You need to set a config option for this, though. Recommended: REMOTE_ADDR, it matches what you need, doesn't need config, and REMOTE_HOST doesn't even work for all hosts. group3 REQUEST_URI vs SCRIPT_NAME vs URL vs ORIG_PATH_INFO vs PHP_SELF which all return /directory/file.php purpose: get the virtual url to the php script I'll extend your example. We now have a RewriteRule in apache like this: RewriteRule ^files/?$ /directory/file.php [L,QSA] Which will rewrite /files/... -- /directory/file.php REQUEST_URI now contains how it was called by the browser, '/files/something.php' SCRIPT_NAME returns path to script (/directory/file.php), set by the SAPI (apache, ..). PHP_SELF returns also the path to script (/directory/file.php), but set by PHP self. I don't have any ORIG_PATH_INFO on my Ubuntu box, so be careful about this one. Recommended: Depends on which you need. I prefer PHP_SELF over SCRIPT_NAME, but that's more personal choice. Matijn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Is there ever a case where SCRIPT_NAME does not equal PHP_SELF? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
