[nycphp-talk] $_SERVER['PHP_SELF'} not working?
csnyder
chsnyder at gmail.com
Thu Jul 21 09:22:43 EDT 2005
On 7/21/05, George Schlossnagle <george at omniti.com> wrote:
>
> On Jul 21, 2005, at 8:54 AM, csnyder wrote:
>
> > On 7/20/05, Daniel Convissor <danielc at analysisandsolutions.com> wrote:
> >
> >
> >> More importantly, PHP_SELF can be tainted by users. Don't assume
> >> it's
> >> safe.
> >>
> >
> > Hmm. How does $_SERVER['PHP_SELF'] get tainted by users?
>
> By appending parameters to the uri you're requesting, i.e. requesting
>
> http://example.com/?$BAD_STUFF_HERE
Not in PHP 5.0.4 -- PHP_SELF is only the relative filename of the
script called by the webserver, no query information is attached.
More information about the talk
mailing list