NYCPHP Meetup

[Dan Cech]

George Schlossnagle wrote:
> On Jul 21, 2005, at 8:54 AM, csnyder wrote:
>>On 7/20/05, Daniel Convissor <danielc at analysisandsolutions.com> wrote:
>>>More importantly, PHP_SELF can be tainted by users.  Don't assume  
>>>it's
>>>safe.
>>
>>Hmm. How does $_SERVER['PHP_SELF'] get tainted by users?
> 
> By appending parameters to the uri you're requesting, i.e. requesting
> 
> http://example.com/?$BAD_STUFF_HERE

As far as I am aware, $_SERVER['PHP_SELF'] does not contain any query 
string information, from the manual:

> 'PHP_SELF'
> The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar. The __FILE__ constant contains the full path and filename of the current (i.e. included) file. 
> 
> If PHP is running as a command-line processor this variable contains the script name since PHP 4.3.0. Previously it was not available.

Testing on my local machine running 4.4.0 shows this behaviour:

> $_SERVER["QUERY_STRING"]   hello=tiger
> $_SERVER["REQUEST_URI"]    /info.php?hello=tiger
> $_SERVER["SCRIPT_NAME"]    /info.php
> $_SERVER["PHP_SELF"]       /info.php

So, it seems $_SERVER['PHP_SELF'] should be relatively safe to use this 
way.

Dan