[nycphp-talk] Re: PHP_SELF problems
mikesz at qualityadvantages.com
mikesz at qualityadvantages.com
Sun Dec 31 20:49:03 EST 2006
Daniel Convissor wrote:
>On Fri, Dec 29, 2006 at 11:13:00AM -0500, Dan Cech wrote:
>
>
>>I'm not 100% sure what the solution to this problem is. Right now the
>>only thing I can think of is to try and figure out the common part of
>>PHP_SELF and SCRIPT_NAME, so as to drop both the extra filesystem info
>>and any url garbage, but that seems pretty fragile to me.
>>
>>
>
>I always use the __FILE__ constant. Can't be touched by user input. The
>basename() and dirname() are handy to use along with it.
>
>--Dan
>
>
>
Hey Dan,
thanks for the tip. I have an app I work on that has about a hundred of
these:
<form action="<? echo $_SERVER['PHP_SELF']; ?>" method=post>
so using your technique it would change to :
<form action="<? echo basename(__FILE__); ?>" method=post>
is this what you mean?
I wholeheartedly agree that in this and most other form applications,
you don't need to expose this variable to user input and would (and
will) happily replace all of them in my application for better security.
Thanks in advanced, mikesz
More information about the talk
mailing list