I just saw a tutorial on a PHP site, and saw the super global $_SERVER['SERVER_SELF'] getting sanitized with htmlspecialchars. Us there any use for this? If you submit a post that has form action="$_SERVER['SERVER_SELF']" what difference does it make what the url is set when submitting a form, because the browser will only submit to the url
Clanstrom 0 Light Poster
Clanstrom 0 Light Poster
Sorry I meant $_SERVER["PHP_SELF"]
diafol
It's to avoid XSS.
When it's used in a form action:
<form action="<?php echo $_SERVER['PHP_SELF'];?>" ...>
It's vulnerable to XSS as an user could go to your form page and add some js in the url, e.g.
http://www.example.com/myform.php/%22%3E%3Cscript%3Ealert('youFOOL')%3C/script%3E ...
This would be translated to something like:
<form action="myform.php" ... />
<script>alert('youFOOL')</script> ...
Now that may be pretty harmless, but it can be made to run files from another server.
So you use htmlentities() to sanitize it.
LastMitch
@Vribium
What is the point of sanitizing $_SERVER['SERVER_SELF'] ?
What diafol mention is correct.
You can read more about this here:
I assume you have read this before:
http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/
and this:
Clanstrom 0 Light Poster
But it is imposssible to manupilate the url on the fly. because, when you press post, the browser can only submit into the un-modified version of the url rather than the modified.
LastMitch
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.