[SOLVED] $PHP_SELF without the querystring

[smerny]

I want $PHP_SELF except ONLY return www.website.com/whatever.php, NOT www.website.com/whatever.php?blah=whatever

[gizmola]

So I'm assuming that what you meant was $_SERVER['PHP_SELF'].  There is no such thing as $PHP_SELF alone.  If you look at the rest of the $_SERVER variables, there is this one:

 

$_SERVER['SERVER_NAME']

 

 

[smerny]

There is no such thing as $PHP_SELF alone.

 

$PHP_SELF actually does work for me, but it copies the entire URL including the querystring

[cags]

I think $PHP_SELF is probably a deprecated feature, I can't find any information on it, but it does highlight in intellisense as being recognised. $_SERVER['PHP_SELF'] doesn't to my knowledge include $_GET variables though.

[smerny]

okay $_SERVER['php_self'] is doing what i was looking for

[cags]

Excellent. Just as a matter of point, if you do need the other value it would appear that $PHP_SELF actually returns the same things as $_SESSION['REQUEST_URI'].

[gizmola]

okay $_SERVER['php_self'] is doing what i was looking for

 

My mind is just boggled here. 

 

$_SERVER['PHP_SELF'] is the name and path of the currently executing script, along with the full query string.  If you had a $PHP_SELF, that was being created somewhere in your script. 

 

There is no variable named $_SERVER['php_self'].

 

Could a $_SERVER['php_self'] be injected?  Yes, I have seen frameworks and code doing that sort of thing -- going through the superglobals and injecting copies with the name lowercased.  I don't think that's a great idea, but it can be done.  Regardless, it would have the query string.

[gizmola]

I think $PHP_SELF is probably a deprecated feature, I can't find any information on it, but it does highlight in intellisense as being recognised. $_SERVER['PHP_SELF'] doesn't to my knowledge include $_GET variables though.

 

It was deprecated long ago, and only works with Register globals on, also deprecated since 4.2.  So apparently smerny is running on a server where register globals is turned on. 

[smerny]

okay $_SERVER['php_self'] is doing what i was looking for

 

My mind is just boggled here. 

 

$_SERVER['PHP_SELF'] is the name and path of the currently executing script, along with the full query string.  If you had a $PHP_SELF, that was being created somewhere in your script. 

 

There is no variable named $_SERVER['php_self'].

 

Could a $_SERVER['php_self'] be injected?  Yes, I have seen frameworks and code doing that sort of thing -- going through the superglobals and injecting copies with the name lowercased.  I don't think that's a great idea, but it can be done.  Regardless, it would have the query string.

 

i'm using $_SERVER['PHP_SELF'] and it is not including the querystring... i have a page that refreshes every 30 seconds... and there are things on that page that people can update, when you push the button to update it shows that you have updated and underneath of it it shows the content of the page... but the URL still had the query string in it so when it refreshed it would show the edit code instead of the content... now it works though, with the $_SERVER['PHP_SELF'] it does not use the querystring

[gizmola]

Here's an article that discusses this issue in some detail:  http://www.mc2design.com/blog/php_self-safe-alternatives.

 

Ok... so I have to admit I airballed on this. $_SERVER['PHP_SELF'] doesn't include the query string.  Disregard my prior comments on that.  What I meant to say was that it includes the path, but this could include a bogus path, which is why this is vulnerable to XSS. 

 

Sorry for the confusion.