How to add variable to PHP_SELF?

[slaterino]

Hi,

I am trying to work out how I can add a variable to PHP_SELF. I have a page in my catalogue which brings up data based on its address.

 

The address could be catalogue.php or catalogue.php?Genus=3 or catalogue.php?Genus=3&Division=2.

 

I am having problems because I am trying to add a paging function and can't seem to get it to work. This is the code I am using:

 

$self = $_SERVER['PHP_SELF'];

 

Then later on in the code I am using something like this to provide the link:

 

$next = " <a href=\"" . $self . "page=$page\">[Next]</a> ";

 

The problem I have is when the page is catalogue.php?Genus=3. For some reason PHP_SELF ignores the part after the question mark and so my link ends up being catalogue.php?page=2. I have tried adding an extra bit of code onto the link, using something like:

 

$self .="?Genus=3";

 

But then this ends up looking like this: catalogue.php?Genus=3?Page=2, which obviously doesn't work. I have also tried using [REQUEST_URI] but this has a problem when you go onto another page as always adds to the address and I end up with something looking like catalogue.php?Genus=3&Page=2&Page=3&Page=4, etc., etc.

 

Does anyone know a way in which I can achieve this?

[phant0m]

modify $_GET and then loop over it to build you new parameter string.

[slaterino]

Hi,

I ended up sorting it. Maybe not in the best possible way but at least it works. Although I was having problems with the following code:

 

$self = $_SERVER['PHP_SELF'];
if(isset($_GET['Genus']))
{$self .="&Genus=3";}

 

This would give a result of catalogue.php&Genus=3?Page=2 for example. It always put whatever I was trying to add before the Page number and the question mark so this wouldn't work.

 

However I found that doing this later on with a line like this works fine and puts the code in the right order

 

$prev = " <a href=\"" . $self . "?Genus=" . $_GET['Genus'] . "&page=$page\">[Prev]</a> ";

 

So I've just used the GET clauses later on and maybe repeated a bit of information but at least it works!!

 

Thanks for your help!

Russ

[RussellReal]

Haha my name is Russell aswell!

[Tyche]

If you are using $_SERVER['PHP_SELF'] you really must sanitise the input, as it can be modifed by the user just like any other user input. If you don't you will leave yourself open to XSS attacks.

 

Taking the bare bones of your modified code as an example

 

<html>
<body>
<?php

$self=$_SERVER['PHP_SELF'];

$prev = " <a href=\"" . $self . "?page=1\">[Prev]</a> ";

echo $prev;

?>
</body>
</html>

 

On the surface it looks OK but if for instance the user adds the following string To the URL directly after the filename they can load this forums logo into your page .

 

/%22%3E%3Cimg%20src=http://www.phpfreaks.com/media/images/forums/logo.png%3E%3C

 

Ok course that is a non-malicious example of XSS.

 

If you want to use $_SERVER['PHP_SELF'] ensure that its clean (or at least neutralised) by running it through htmlspecialchars()

 

 

[RussellReal]

If you are using $_SERVER['PHP_SELF'] you really must sanitise the input, as it can be modifed by the user just like any other user input. If you don't you will leave yourself open to XSS attacks.

 

Taking the bare bones of your modified code as an example

 

<html>
<body>
<?php

$self=$_SERVER['PHP_SELF'];

$prev = " <a href=\"" . $self . "?page=1\">[Prev]</a> ";

echo $prev;

?>
</body>
</html>

 

On the surface it looks OK but if for instance the user adds the following string To the URL directly after the filename they can load this forums logo into your page .

 

/%22%3E%3Cimg%20src=http://www.phpfreaks.com/media/images/forums/logo.png%3E%3C

 

Ok course that is a non-malicious example of XSS.

 

If you want to use $_SERVER['PHP_SELF'] ensure that its clean (or at least neutralised) by running it through htmlspecialchars()

 

what exactly could sum1 do by xss injecting into html.. they could only really modify their own output.. but I hear what you mean

[Tyche]

 

 

what exactly could sum1 do by xss injecting into html.. they could only really modify their own output.. but I hear what you mean

 

In most XSS attacks the attacker sends the victim a XSS modified URL to a site the Victim trusts (e.g.  slaterino's site) . It's the Victim's output which is changed .They see the site but the Attacker can then potentially gain access to the Victims user credentials and/or cookie info for that site  - In this example I just showed an injection of  a visible image the Injection could be a javascript program.  The wikipedia page on XSS is well worth reading http://en.wikipedia.org/wiki/Cross-site_scripting

 

[oni-kun]

What  on earth are you guys talking about? If you're wanting to filter through the script and query array than use a method such as this:

$script = $_SERVER['SCRIPT_FILENAME']; //Just, the file's name
$query = $_SERVER['QUERY_STRING']; //Modify or leave out

echo $script . '/?Genus=' htmlspecialchars($_GET['Genus']); //. '&page=...&foo=bar..'

 

If you're wanting to replace previous characters, as you're having duplicates now.

[RussellReal]

 

 

what exactly could sum1 do by xss injecting into html.. they could only really modify their own output.. but I hear what you mean

 

In most XSS attacks the attacker sends the victim a XSS modified URL to a site the Victim trusts (e.g.  slaterino's site) . It's the Victim's output which is changed .They see the site but the Attacker can then potentially gain access to the Victims user credentials and/or cookie info for that site  - In this example I just showed an injection of  a visible image the Injection could be a javascript program.  The wikipedia page on XSS is well worth reading http://en.wikipedia.org/wiki/Cross-site_scripting

 

no no no I understand what XSS is I was just saying, I'd understand if the url was passing thru php or sumfin.. but the scenario in which a user is being directed to this site is a different story, I can understand the worth of it because your users ate the ones that'd get hurt. anyway, thanks