$PHP_SELF

[chaiwei]

Hi all,

 

I saw some website they wrote $PHP_SELF is not secure.

It will causing XSS to exploit your site.

 

But I don't know how XSS will bring harm to us.

Because most of the example they just inject a script alert.

But it can't change our code or anything.

It may inject a javascript. but I can't see what can it done with javascript that until it causing serious problem to our site.

 

I believe that XSS will bring major securities issues. But I just don't know how it works.

 

So back to the topic, instead of $PHP_SELF, I should use $_SERVER['PHP_SELF'] ?

 

Are there any methods to use besides this two?

thanks

 

 

[gevans]

This is a nice little way of cleaning it;

 

http://www.thecodecave.com/header-location-_serverphp_self-security-vulnerability/

[Vince889]

$PHP_SELF and  $_SERVER['PHP_SELF'] are essentially the same.

 

Also, if a user manages to inject malicious Javascript into a database (where it will be echo'd somewhere), they can steal login cookies and whatnot.

[rv20]

if could steal your cookies.

 

 

[Ken2k7]

$PHP_SELF and  $_SERVER['PHP_SELF'] are essentially the same.

 

Also, if a user manages to inject malicious Javascript into a database (where it will be echo'd somewhere), they can steal login cookies and whatnot.

$PHP_SELF is deprecated.

[chaiwei]

Thanks,

 

Then I should use this?

$php_self = htmlentities(substr($_SERVER['PHP_SELF'], 0, 
                         strcspn($_SERVER['PHP_SELF'], "  ")), ENT_QUOTES);

[gevans]

That should clean you up nicely, and if someone does try anything that should give it a nice cleaning (never used it myself though)

[jxrd]

This actually explains why:

 

I just tested it and it's true...off to update my code

 

 

http://www.mc2design.com/blog/php_self-safe-alternatives