chaiwei Posted June 2, 2009 Share Posted June 2, 2009 Hi all, I saw some website they wrote $PHP_SELF is not secure. It will causing XSS to exploit your site. But I don't know how XSS will bring harm to us. Because most of the example they just inject a script alert. But it can't change our code or anything. It may inject a javascript. but I can't see what can it done with javascript that until it causing serious problem to our site. I believe that XSS will bring major securities issues. But I just don't know how it works. So back to the topic, instead of $PHP_SELF, I should use $_SERVER['PHP_SELF'] ? Are there any methods to use besides this two? thanks Link to comment https://forums.phpfreaks.com/topic/160659-php_self/ Share on other sites More sharing options...
gevans Posted June 2, 2009 Share Posted June 2, 2009 This is a nice little way of cleaning it; http://www.thecodecave.com/header-location-_serverphp_self-security-vulnerability/ Link to comment https://forums.phpfreaks.com/topic/160659-php_self/#findComment-847871 Share on other sites More sharing options...
Vince889 Posted June 2, 2009 Share Posted June 2, 2009 $PHP_SELF and $_SERVER['PHP_SELF'] are essentially the same. Also, if a user manages to inject malicious Javascript into a database (where it will be echo'd somewhere), they can steal login cookies and whatnot. Link to comment https://forums.phpfreaks.com/topic/160659-php_self/#findComment-847872 Share on other sites More sharing options...
rv20 Posted June 2, 2009 Share Posted June 2, 2009 if could steal your cookies. Link to comment https://forums.phpfreaks.com/topic/160659-php_self/#findComment-847895 Share on other sites More sharing options...
Ken2k7 Posted June 2, 2009 Share Posted June 2, 2009 $PHP_SELF and $_SERVER['PHP_SELF'] are essentially the same. Also, if a user manages to inject malicious Javascript into a database (where it will be echo'd somewhere), they can steal login cookies and whatnot. $PHP_SELF is deprecated. Link to comment https://forums.phpfreaks.com/topic/160659-php_self/#findComment-847933 Share on other sites More sharing options...
chaiwei Posted June 3, 2009 Author Share Posted June 3, 2009 Thanks, Then I should use this? $php_self = htmlentities(substr($_SERVER['PHP_SELF'], 0, strcspn($_SERVER['PHP_SELF'], " ")), ENT_QUOTES); Link to comment https://forums.phpfreaks.com/topic/160659-php_self/#findComment-848352 Share on other sites More sharing options...
gevans Posted June 3, 2009 Share Posted June 3, 2009 That should clean you up nicely, and if someone does try anything that should give it a nice cleaning (never used it myself though) Link to comment https://forums.phpfreaks.com/topic/160659-php_self/#findComment-848415 Share on other sites More sharing options...
jxrd Posted June 3, 2009 Share Posted June 3, 2009 This actually explains why: I just tested it and it's true...off to update my code http://www.mc2design.com/blog/php_self-safe-alternatives Link to comment https://forums.phpfreaks.com/topic/160659-php_self/#findComment-848453 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.