[nycphp-talk] Re: PHP_SELF problems
Jürgen Wind
jwind at gmx.de
Mon Jan 1 06:26:07 EST 2007
mikesz at qualityadvantages.com wrote:
>
> Daniel Convissor wrote:
>
>>On Fri, Dec 29, 2006 at 11:13:00AM -0500, Dan Cech wrote:
>>
>>
>>>I'm not 100% sure what the solution to this problem is. Right now the
>>>only thing I can think of is to try and figure out the common part of
>>>PHP_SELF and SCRIPT_NAME, so as to drop both the extra filesystem info
>>>and any url garbage, but that seems pretty fragile to me.
>>>
>>>
>>
>>I always use the __FILE__ constant. Can't be touched by user input. The
>>basename() and dirname() are handy to use along with it.
>>
>>--Dan
>>
>>
>>
> Hey Dan,
>
> thanks for the tip. I have an app I work on that has about a hundred of
> these:
>
> <form action="<? echo $_SERVER['PHP_SELF']; ?>" method=post>
>
> so using your technique it would change to :
>
> <form action="<? echo basename(__FILE__); ?>" method=post>
>
> is this what you mean?
>
> I wholeheartedly agree that in this and most other form applications,
> you don't need to expose this variable to user input and would (and
> will) happily replace all of them in my application for better security.
>
> Thanks in advanced, mikesz
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
>
but beware: if basename(__FILE__) is used in an include file you'll get the
name of that include file.
what you may want is probably the name of the running script:
basename($_SERVER['SCRIPT_NAME'])
--
View this message in context: http://www.nabble.com/Holiday-Greetings-to-Everyone...-tf2882582.html#a8113012
Sent from the NYPHP-Talk mailing list archive at Nabble.com.
More information about the talk
mailing list