[nycphp-talk] $_SERVER['PHP_SELF'} not working?
csnyder
chsnyder at gmail.com
Thu Jul 21 09:22:43 EDT 2005
On 7/21/05, George Schlossnagle <george at omniti.com> wrote:
>
> On Jul 21, 2005, at 8:54 AM, csnyder wrote:
>
> > On 7/20/05, Daniel Convissor <danielc at analysisandsolutions.com> wrote:
> >
> >
> >> More importantly, PHP_SELF can be tainted by users. Don't assume
> >> it's
> >> safe.
> >>
> >
> > Hmm. How does $_SERVER['PHP_SELF'] get tainted by users?
>
> By appending parameters to the uri you're requesting, i.e. requesting
>
> http://example.com/?$BAD_STUFF_HERE
Not in PHP 5.0.4 -- PHP_SELF is only the relative filename of the
script called by the webserver, no query information is attached.
More information about the talk
mailing list
Automatic Email Organization without missing anything!