Jump to content

Recommended Posts

Hi,

I am trying to work out how I can add a variable to PHP_SELF. I have a page in my catalogue which brings up data based on its address.

 

The address could be catalogue.php or catalogue.php?Genus=3 or catalogue.php?Genus=3&Division=2.

 

I am having problems because I am trying to add a paging function and can't seem to get it to work. This is the code I am using:

 

$self = $_SERVER['PHP_SELF'];

 

Then later on in the code I am using something like this to provide the link:

 

$next = " <a href=\"" . $self . "page=$page\">[Next]</a> ";

 

The problem I have is when the page is catalogue.php?Genus=3. For some reason PHP_SELF ignores the part after the question mark and so my link ends up being catalogue.php?page=2. I have tried adding an extra bit of code onto the link, using something like:

 

$self .="?Genus=3";

 

But then this ends up looking like this: catalogue.php?Genus=3?Page=2, which obviously doesn't work. I have also tried using [REQUEST_URI] but this has a problem when you go onto another page as always adds to the address and I end up with something looking like catalogue.php?Genus=3&Page=2&Page=3&Page=4, etc., etc.

 

Does anyone know a way in which I can achieve this?

Link to comment
https://forums.phpfreaks.com/topic/186894-how-to-add-variable-to-php_self/
Share on other sites

Hi,

I ended up sorting it. Maybe not in the best possible way but at least it works. Although I was having problems with the following code:

 

$self = $_SERVER['PHP_SELF'];
if(isset($_GET['Genus']))
{$self .="&Genus=3";}

 

This would give a result of catalogue.php&Genus=3?Page=2 for example. It always put whatever I was trying to add before the Page number and the question mark so this wouldn't work.

 

However I found that doing this later on with a line like this works fine and puts the code in the right order

 

$prev = " <a href=\"" . $self . "?Genus=" . $_GET['Genus'] . "&page=$page\">[Prev]</a> ";

 

So I've just used the GET clauses later on and maybe repeated a bit of information but at least it works!!

 

Thanks for your help!

Russ

If you are using $_SERVER['PHP_SELF'] you really must sanitise the input, as it can be modifed by the user just like any other user input. If you don't you will leave yourself open to XSS attacks.

 

Taking the bare bones of your modified code as an example

 

<html>
<body>
<?php

$self=$_SERVER['PHP_SELF'];

$prev = " <a href=\"" . $self . "?page=1\">[Prev]</a> ";

echo $prev;

?>
</body>
</html>

 

On the surface it looks OK but if for instance the user adds the following string To the URL directly after the filename they can load this forums logo into your page .

 

/%22%3E%3Cimg%20src=http://www.phpfreaks.com/media/images/forums/logo.png%3E%3C

 

Ok course that is a non-malicious example of XSS.

 

If you want to use $_SERVER['PHP_SELF'] ensure that its clean (or at least neutralised) by running it through htmlspecialchars()

 

 

If you are using $_SERVER['PHP_SELF'] you really must sanitise the input, as it can be modifed by the user just like any other user input. If you don't you will leave yourself open to XSS attacks.

 

Taking the bare bones of your modified code as an example

 

<html>
<body>
<?php

$self=$_SERVER['PHP_SELF'];

$prev = " <a href=\"" . $self . "?page=1\">[Prev]</a> ";

echo $prev;

?>
</body>
</html>

 

On the surface it looks OK but if for instance the user adds the following string To the URL directly after the filename they can load this forums logo into your page .

 

/%22%3E%3Cimg%20src=http://www.phpfreaks.com/media/images/forums/logo.png%3E%3C

 

Ok course that is a non-malicious example of XSS.

 

If you want to use $_SERVER['PHP_SELF'] ensure that its clean (or at least neutralised) by running it through htmlspecialchars()

 

what exactly could sum1 do by xss injecting into html.. they could only really modify their own output.. but I hear what you mean :)

 

 

what exactly could sum1 do by xss injecting into html.. they could only really modify their own output.. but I hear what you mean :)

 

In most XSS attacks the attacker sends the victim a XSS modified URL to a site the Victim trusts (e.g.  slaterino's site) . It's the Victim's output which is changed .They see the site but the Attacker can then potentially gain access to the Victims user credentials and/or cookie info for that site  - In this example I just showed an injection of  a visible image the Injection could be a javascript program.  The wikipedia page on XSS is well worth reading http://en.wikipedia.org/wiki/Cross-site_scripting

 

What  on earth are you guys talking about? If you're wanting to filter through the script and query array than use a method such as this:

$script = $_SERVER['SCRIPT_FILENAME']; //Just, the file's name
$query = $_SERVER['QUERY_STRING']; //Modify or leave out

echo $script . '/?Genus=' htmlspecialchars($_GET['Genus']); //. '&page=...&foo=bar..'

 

If you're wanting to replace previous characters, as you're having duplicates now.

 

 

what exactly could sum1 do by xss injecting into html.. they could only really modify their own output.. but I hear what you mean :)

 

In most XSS attacks the attacker sends the victim a XSS modified URL to a site the Victim trusts (e.g.  slaterino's site) . It's the Victim's output which is changed .They see the site but the Attacker can then potentially gain access to the Victims user credentials and/or cookie info for that site  - In this example I just showed an injection of  a visible image the Injection could be a javascript program.  The wikipedia page on XSS is well worth reading http://en.wikipedia.org/wiki/Cross-site_scripting

 

no no no I understand what XSS is I was just saying, I'd understand if the url was passing thru php or sumfin.. but the scenario in which a user is being directed to this site is a different story, I can understand the worth of it because your users ate the ones that'd get hurt. anyway, thanks :)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.