Skip to main content
A
Anonymous
February 27, 2012
Answered

A question about PHP_SELF

  • February 27, 2012
  • 1 reply
  • 1269 views

Helo All,

In doing some research, I came across a post on a forum where a person was having trouble with their form on a page. In their code they were using $_SERVER['PHP_SELF'] in the code and the person responding had this to say:

"Please don't use PHP_SELF, it is vulnerable to exploitation. If you want the action to be the same page, just leave it empty."

Is it true that this is vulnerable to exploitation? If so, what is a suitable and secure method/command/function/etc to replace PHP_SELF?

Just curious, many thanks in advance for your input.

Cheers,

wordman

This topic has been closed for replies.
Correct answer

Shocker,

Many thanks. I think there was some confusion about forms, as I didn't mention this was for a form, so my apologies for that error (it was due from my searching for a different answer on another forum and the one I found was for someone having trouble with a form). Again, sorry for the confusion.

Anyhow, let me see if I understand what you're telling me...

My code I posted was this:

<?php echo '<a href="'.$_SERVER['PHP_SELF'].'?curPage='.($curPage-1).'&ct='.($sp ec).'&s='.($s).'&pv='.($pv).' "> &lt;&lt; Newer galleries</a>'; ?>

Your recommendation:

<?php echo '<a href="?curPage='.($curPage-1).'&ct='.($sp ec).'&s='.($s).'&pv='.($pv).' "> &lt;&lt; Newer galleries</a>'; ?>

Stripping out the $_SERVER['PHP_SELF'] Makes sense, and I appreciate it very much. The remaining question would be, what exactly is the vulnerability behind $_SERVER['PHP_SELF'] and is there a resource that provides a list of things such as this that have similar vulnerabilities?

Many thanks for taking the time!

Cheers,

wordman


http://stackoverflow.com/questions/4247704/how-tamper-proof-is-the-server-variable-in-php

best,

Shocker

1 reply

Rob Hecker2
Rob Hecker2
Legend
February 28, 2012

Yes, this is a well known vulnerability.

The following will also work:

<form action="<?php basename(dirname(__FILE__))."/".basename(__FILE__); ?>" method="post" >

A
Anonymous
March 4, 2012

Rob,

Thank you for the information. Tell me this, when using $_SERVER['PHP_SELF'] in a link, (I use this in a photo gallery I built as part of the dynamic URL with a query string to reload the same page with a different photo) how would I implement what you describe above? My sample code as follows:

<?php echo '<a href="'.$_SERVER['PHP_SELF'].'?curPage='.($curPage-1).'&ct='.($spec).'&s='.($s).'&pv='.($pv).' "> &lt;&lt; Newer galleries</a>'; ?>

Many thanks!

Sincerely,

wordman

A
Anonymous
March 5, 2012

I came across a post on a forum where a person was having trouble with their form on a page.

Your code is not a form action, it's an anchor tag. Google Chrome will not POST a blank or relative form action. It must be an absolute URL. For your anchor tag link you can use a relative path, however.

<?php echo '<a href="?curPage='.($curPage-1).'&ct='.($sp ec).'&s='.($s).'&pv='.($pv).' "> &lt;&lt; Newer galleries</a>'; ?>

best,

Shocker

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices