[nycphp-talk] $_SERVER['PHP_SELF'} not working?
George Schlossnagle
george at omniti.com
Thu Jul 21 12:00:25 EDT 2005
On Jul 21, 2005, at 11:55 AM, csnyder wrote:
> On 7/21/05, Daniel Convissor <danielc at analysisandsolutions.com> wrote:
>
>> Anyway, using PHP_SELF for the action is supurfluous, since all it
>> does is
>> name itself the default action of a form is submitting to itself
>> in the first place.
>>
>
> Except that if you call the script with a URI that includes embedded
> quotes, you can break the form and add abritrary HTML to the page.
>
> <form action="<?=$_SERVER['PHP_SELF']?>" method="post"> when called
> with a url like:
>
> index.php/%22%3E%3C%2Fform%3EMy%20HTML%20Here
>
> Becomes:
>
> <form action=""></form>My HTML Here" method="post">
His point was that using PHP_SELF as the form action was not only
insecure but pointless as well, since best-case it restates the
default behavior.
George
More information about the talk
mailing list