spookztar

Thanx. I just found another easy way to do it. Just put: $safeself = strip_tags($_SERVER['PHP_SELF']); - at the top of the script, and then do - $loginform = "<form method='post' action='{$safeself}'>" - in all places where the use of PHP_SELF is necessary. Sometimes even the simplest solutions eludes you. Oh, the plight of the newbie

I got interrrupted by a time limit that disallowed me editing my last post to a more understandable size, so here goes again. Ok. Apparently, as I suspected, it wasn't that easy. I now have a sequence that leads from form to form, through three tiers and when one is trying to progress to the last form in the chain, one is tossed back to the first tier unless PHP_SELF is used in the form tag of the form i tier two. So I need an answer to the original question anyway. It would also, as mentioned earlier, be a great thing if there was a way to sanitize all instances of PHP_SELF just once at the top of the script, whenever an iteration occurs as a result of using it.

Ok apparently, as I suspected, it wasn't that easy. I now have a sequence that leads form form to form, through three tiers and when one is trying to progress to the last form in the chain, one is tossed back to the first tier unless PHP_SELF is used in the form tag. So I need an answer to the question original question anyway. How do I get strip_tags() into - $loginform = "<form method='post' action={$_SERVER['PHP_SELF']}'>" - without violating rules of syntax?

- which is basically the same as saying that the use of PHP_SELF is completely superfluous, as PHP_SELF is all about the iteration of posting to the same page. Conclusion: Unless another pagename is specified in the form, PHP automatically performs a PHP_SELF iteration. I whish the guy who helped me with the origin-example had known this.. Man... Thanx for the responses by the way..

Ok...? A bit... of a surprise at my end.. Does this mean that the use of PHP_SELF is outdated? In mean, In what situations do you use it then?

That's all good and well. But when PHP_SELF is only a part of a longer string, such as this: $section = "<form action='{$_SERVER['PHP_SELF']}?sectionidentity=1' method='post'> - then what?

??? Like this: $loginform = "<form method='post'>"

Hi, I have just been advised to secure the use of the mentioned server variable with strip_tags(). I have a log-in form that starts like this: $loginform = "<form method='post' action={$_SERVER['PHP_SELF']}'>" In order to be able to use PHP_SELF dynamically in the string, I had to wrap it in clamps {}. When I try to pop "strip tags()" in there as well, I can't get away with it without getting a syntaxial error. How do I do it without having to jump in and out of PHP-mode? Another thing, instead of adding this change to all the forms on the site, couldn't one just put: strip_tags($_SERVER['PHP_SELF']); - or something similarly general, at the very top of the selfloading script containing all the forms? Wouldn't this just clean out any tags every time a pageload occurs? Bye,

I think doing a check with an IF such as this; if (!preg_match('/[A-Za-z0-9-_]{1,80}(\.[A-Za-z]{1,5})/', $filename)) Die('your filename contains forbidden characters'); - Just might have to do then... I'm also considering banning certain extensions by using substr(). Apart from .js and .jse, what other extensions would be wise to ban on a Linux server?

So to make a symbol ban-list, I would do something like... this?: [^[:blank:]\.|!|#|&|(|)|'|"|;|\||<|>|@|\$|\^|\{|\}|\*|\?|\] An OR (|) between each undesired symbol, backslashing all regex special characters?

Ok. So "/" and spaces are bad in UNIX filenames. Anything else?

I have a meta in the document itself saying: <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> I just assume that's what you're fishing for?

I suppose that will vary as different users will be running this application on different servers.

Hi guys, I trying to create at piece of regex to validate filenames of users' multimedia files. What symbols do I need to ban to be on the safe side? So far, I have: preg_match('/^.{1,80}(\.[[:alpha:]]{1,5})$/', $filename) I need to somehow implement banning of spaces and slashes, but how, and what else? I assume it's at least something like this... [^[:blank:]|/] Bye,

Thanx for responding, Rithiur. Two things: 1) Using "^" and "$"  isn't really required when using preg_match(), is it? 2) To better accomodate any future formats, wouldn't it be more advisable to just specifically exclude certain dangerous extensions?

Hi guys, I have a related issue but with all types of music/video media files. Here's what I've done so far: preg_match('/[.]{1,80}(\.[[:alpha:]]{1,5})/', $filename) Here's what I'm looking for: "1-80 of any type of character on the left side of the dot, and 1-5 alpha characters on the right side of the dot". What is the generally right/responsible thing to do/best practices when regex'ing filenames? I'm thinking disallowing certain extensions for the sake of security etc. Rock on,

None higher?

Ok, $_SESSION['disallowed'] is now set at first pageview, but continues to be set after log-in. But as soon as I reload the page after login, 'disallowed' get's unset and 'allowed' get's set as it should. But why is the browserrefresh necessary to get there?

Thanx for your reply, dbo. That did some of it. Thanx! But how do you explain the setting of $_SESSION['allowed'] at first pageview when this happens nowhere in the script? As you can see, it's been edited out for troubleshooting purposes.

Hi guys, a bit puzzled here ??? On first pageview $_SESSION['allowed'] is set and $_SESSION['disallowed'] is not. Why? This should only happen upon successfull log-in. The code appears a bit long, but it's mostly just a log-in routine with various checks. When "allowed" is set, sections should be accessible from links in the menu. can someone explain this behaviour to me? top of script: session_start(); include 'musicart_files/music_includes/dbconnector.php'; include 'musicart_files/music_includes/musicart_functions.php'; if ($_SESSION['allowed'] = TRUE) unset($_SESSION['disallowed']); $_SESSION['unauthorized'] = TRUE; print_r($_SESSION); ini_set('display_errors', ON); error_reporting(E_ALL); ?> included menu: function menu() { echo "<span>"; //$link = array(); $links[1] = "Product Handling"; $links[2] = "Misc. Parameters"; $links[3] = "Statistics"; $links[4] = "Look 'n' Feel"; foreach ($links as $key => $value) { echo "<a href=\"".$_SERVER['PHP_SELF']."?sectionid=".$key."\">".$value."</a>"; } echo "</span>"; } The code: $sectionid = (isset($_GET['sectionid']) AND is_numeric($_GET['sectionid'])) ? $_GET['sectionid'] : "failed"; $loginform = "<form method='post' action='{$_SERVER['PHP_SELF']}'> <fieldset> <legend>LOG-IN</legend> <p><label>Name:</label><input name='formusername' type='text' size='15' maxlength='20' /></p> <p><label>Password:</label><input name='formpassword' type='password' size='15' maxlength='20' /></p> <p><input class='submit' type='submit' value='Log-in' name='login' /></p> </fieldset> </form>"; if ($sectionid == 1) //AND ($_SESSION['allowed'] == TRUE)) { echo "<div class='adminbox'>"; echo menu(); echo "</div><!-- adminbox end -->"; echo "<div class='applicationarea'>"; echo "Welcome to section 1!"; die("</div><!-- applicationarea end -->"); } if ($sectionid == 2) { echo "<div class='adminbox'>"; echo menu(); echo "</div><!-- adminbox end -->"; echo "<div class='applicationarea'>"; echo "Welcome to section 2!"; die("</div><!-- applicationarea end -->"); } if ($sectionid == 3) { echo "<div class='adminbox'>"; echo menu(); echo "</div><!-- adminbox end -->"; echo "<div class='applicationarea'>"; echo "Welcome to section 3!"; die("</div><!-- applicationarea end -->"); } if ($sectionid == 4) { echo "<div class='adminbox'>"; echo menu(); echo "</div><!-- adminbox end -->"; echo "<div class='applicationarea'>"; echo "Welcome to section 4!"; die("</div><!-- applicationarea end -->"); } if (isset($_POST['login'])) { $formusername = mysql_real_escape_string(strip_tags(trim($_POST['formusername']))); $formpassword = mysql_real_escape_string(strip_tags(trim($_POST['formpassword']))); if (!preg_match('/[a-z]+/', $formusername) OR !preg_match('/[A-Z]+/', $formusername) OR !preg_match('/[0-9]+/', $formusername)) { echo "<div class='applicationarea'>"; echo "<span class='warning'>FAILURE: Authentication failed. Username failed character criteria.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } if (!preg_match('/[a-z]+/', $formpassword) OR !preg_match('/[A-Z]+/', $formpassword) OR !preg_match('/[0-9]+/', $formpassword)) { echo "<div class='applicationarea'>"; echo "<span class='warning'>$formpassword FAILURE: Authentication failed. Password failed character criteria.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } elseif (strlen($formusername) <5 OR strlen($formusername) >20) { echo "<div class='applicationarea'>"; echo "<span class='warning'>FAILURE: Authentication failed. Username illegal length.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } elseif (strlen($formpassword) <8 OR strlen($formpassword) >20) { echo "<div class='applicationarea'>"; echo "<span class='warning'>FAILURE: Authentication failed. Password illegal length.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } else { $formpassword = md5($formpassword); $formusername = md5($formusername); // // DB stuff below and authorization if userdata validates and matches fetched DB values. // $query = mysql_query("SELECT name, param FROM parameter WHERE name='siteuser' OR name='siteuserpasswd'") OR die(mysql_error()); while($row = mysql_fetch_array($query)) { $$row['name'] = $row['param']; } if ($siteuser !== $formusername) { echo "<div class='applicationarea'>"; echo "<span class='warning'>FAILURE: Authentication failed. Wrong username.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } if ($siteuserpasswd !== $formpassword) { echo "<div class='applicationarea'>"; echo "<span class='warning'>FAILURE: Authentication failed. Wrong password.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } if (($siteuser == $formusername) AND ($siteuserpasswd == $formpassword)) { //$_SESSION['allowed'] = TRUE; echo "<div class='adminbox'>"; echo menu(); echo "</div><!-- adminbox end -->"; echo "<div class='applicationarea'>"; echo "<h1>Greetings 0' exalted one, my master!</h1>"; die("</div><!-- applicationarea end -->"); } } } else { echo "<div class='applicationarea'>"; echo $loginform; die("</div><!-- applicationarea end -->"); } Thanx,

No suggestions as to how I can accomplish the desired result - or at least why I can't use $_GET with PHP_SELF? Could it have something to do with the preceeding use of nested IF/ELSE'S to sanitize an verify log-in details?

That works Corbin, but why can't I grab/set the "$sectionid" from the URL and use it to load the proper section of the file when returning to the file itself through the use of PHP_SELF? ??? It just seems so basic...

The version is: PHP Version 4.4.6-2+b1

Thanx for your suggestion cooldude832, but it just gave me "undefined index..." on all four.

"are you sure $sectionid is being set before you're calling it?" Isn't that the whole point of: sectionid = $_GET['sectionid'];? I'm not in doubt as to whether it's set or not, but why it isn't. I included the semicolons, didn't do a thing. Strict error reporting obviously didn't care either...