Security of form action to a different webpage

Report · Sep 01, 2012

Most of my forms POST to the same page, I use:

action="<?php echo $editFormAction; ?>"

then:

$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);

}

However I have some forms that POST to a new url / page with the form action being just the relative url:

action = "delete-item.php"

Should I be using html entities in the form action to prevent script attack and redirecting the form to somewhere else?

action = <?php echo htmlentities; ?>"delete-item.php"

Would this be correct or is there a better way to do this?

On the same subject then should all my links, including general content pages and user administration pages, also echo html entities to prevent attack or am I misunderstanding something?

Comments, help and advise much appreciated as always.

Thank you in advance.

Report · Sep 02, 2012

tessimon wrote:
I have some forms that POST to a new url / page with the form action being just the relative url:
action = "delete-item.php"
Should I be using html entities in the form action to prevent script attack and redirecting the form to somewhere else?
action = <?php echo htmlentities; ?>"delete-item.php"
Would this be correct or is there a better way to do this?

No, it would be completely meaningless, and would probably generate an error message because htmlentities() is a function that requires at least one argument.

It's good that you're concerned about security issues, but don't become paranoid. I suggest that you take a good read of the PHP Security Guide. It's written by some of the best experts on the subject.

Report · Sep 04, 2012

Thank you, yes I will read that as I have so many questions in my head about the security side, much appreciated.