NYCPHP Meetup

[nycphp-talk] Re: PHP_SELF problems

Jürgen Wind jwind at gmx.de
Mon Jan 1 06:26:07 EST 2007




mikesz at qualityadvantages.com wrote:
> 
> Daniel Convissor wrote:
> 
>>On Fri, Dec 29, 2006 at 11:13:00AM -0500, Dan Cech wrote:
>>  
>>
>>>I'm not 100% sure what the solution to this problem is.  Right now the
>>>only thing I can think of is to try and figure out the common part of
>>>PHP_SELF and SCRIPT_NAME, so as to drop both the extra filesystem info
>>>and any url garbage, but that seems pretty fragile to me.
>>>    
>>>
>>
>>I always use the __FILE__ constant.  Can't be touched by user input.  The 
>>basename() and dirname() are handy to use along with it.
>>
>>--Dan
>>
>>  
>>
> Hey Dan,
> 
> thanks for the tip. I have an app I work on that has about a hundred of 
> these:
> 
> <form action="<? echo $_SERVER['PHP_SELF']; ?>" method=post>
> 
> so using your technique it would change to :
> 
> <form action="<? echo basename(__FILE__); ?>" method=post>
> 
> is this what you mean?
> 
> I wholeheartedly agree that in this and most other form applications, 
> you don't need to expose this variable to user input and would (and 
> will) happily replace all of them in my application for better security.
> 
> Thanks in advanced, mikesz
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
> 
> 
but beware: if basename(__FILE__) is used in an include file you'll get the
name of that include file.
what you may want is probably the name of the running script: 
basename($_SERVER['SCRIPT_NAME'])

-- 
View this message in context: http://www.nabble.com/Holiday-Greetings-to-Everyone...-tf2882582.html#a8113012
Sent from the NYPHP-Talk mailing list archive at Nabble.com.




More information about the talk mailing list