NYCPHP Meetup

[Michael Sims]

On Tuesday 26 December 2006 5:11 pm, Joseph Crawford wrote:
> Chris,
>
> do you suggest hardcoding the filenames even when referencing the same
> file that is executing?

There was a long thread about this in July 2005.

Executive summary: PHP_SELF intentionally includes extra URL garbage (or 
valuable URL variables, take your pick) tacked on by the user.  Don't use 
it without knowing what it does.

Here's what you get when you hit the URL:

http://example.com/info.php/testing1?testing2 :

_SERVER["REQUEST_URI"]	 /info.php/testing1?testing2
_SERVER["PHP_SELF"]	 /info.php/testing1
_SERVER["SCRIPT_NAME"]	 /info.php

Get it?  If you don't want that extra stuff tacked on by the user, use the 
correct _SERVER variable.  If you use REQUEST_URI or PHP_SELF, be aware the 
user can affect the contents of that variable.  99% of the time, you want 
SCRIPT_NAME, not PHP_SELF.

By the way, here's another test:

http://example.com/info.php/testing<script>?testing :

_SERVER["REQUEST_URI"]	 /info.php/testing%3Cscript%3E?testing
_SERVER["PHP_SELF"]	 /info.php/testing<script>
_SERVER["SCRIPT_NAME"]	 /info.php

Note that the REQUEST_URI variable, which comes from Apache, is encoded, 
while the PHP_SELF variable, which comes from PHP, is not.  So PHP 5.2.0 
still makes it possible to shoot yourself in the foot, and as I've pointed 
out below, well-known PHP authorities actually recommend that you do so.

Here's the email that I sent at in July 2005:


Subject: Re: [nycphp-talk] $_SERVER['PHP_SELF'} not working?
Date: Friday 22 July 2005 12:05 pm
From: Michael Sims <jellicle at gmail.com>
To: NYPHP Talk <talk at lists.nyphp.org>

On Thursday 21 July 2005 17:16, Dan Cech wrote:
> You could put:
>
> $_SERVER['PHP_SELF'] = $_SERVER['SCRIPT_NAME'];
>
> into one of your common include files.

Yes.  I'm afraid I don't understand this entire thread.  Apparently
because of the numerous PHP developer articles recommending it, and
because of the php.net page which for whatever reason lists it first on
the list of predefined variables, people are using PHP_SELF when they
really want SCRIPT_NAME.  SCRIPT_NAME solves all the problems mentioned
in this thread - it's just the script name, without any extra garbage
that might be tacked on by the user.  PHP_SELF explicitly includes that
extra garbage, so solutions in this thread that involve stripping the
garbage off of PHP_SELF to make it safe are really, really missing the
point - just use SCRIPT_NAME instead.  Please don't use FORM ACTION="";
according to the spec, what the browser does with that is undefined, so
even if it works in current browsers, it might not work in future ones.

People can be forgiven for making this mistake -- I'm here holding my
copy of _Learning PHP 5_, and it recommends on page 8 and again on page
86 the use of PHP_SELF for self-referencing forms, ahem -- but it's time
to put it to bed: PHP_SELF is unsafe for any usage where it is echoed
back to the page.

Michael Sims