Daniel Convissor wrote:
On Fri, Dec 29, 2006 at 11:13:00AM -0500, Dan Cech wrote:
I'm not 100% sure what the solution to this problem is. Right now the
only thing I can think of is to try and figure out the common part of
PHP_SELF and SCRIPT_NAME, so as to drop both the extra filesystem info
and any url garbage, but that seems pretty fragile to me.
I always use the __FILE__ constant. Can't be touched by user input. The
basename() and dirname() are handy to use along with it.
--Dan
Hey Dan,
thanks for the tip. I have an app I work on that has about a hundred of
these:
<form action="<? echo $_SERVER['PHP_SELF']; ?>" method=post>
so using your technique it would change to :
<form action="<? echo basename(__FILE__); ?>" method=post>
is this what you mean?
I wholeheartedly agree that in this and most other form applications,
you don't need to expose this variable to user input and would (and
will) happily replace all of them in my application for better security.
Thanks in advanced, mikesz
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
