batstanggt Posted August 8, 2011 Share Posted August 8, 2011 Which is more secure htmlentities($_server[php_self] ) or just having the action attribute of a form link to an external .php page? -SB Link to comment https://forums.phpfreaks.com/topic/244189-_serverphp_self/ Share on other sites More sharing options...
phpSensei Posted August 8, 2011 Share Posted August 8, 2011 It doesn't really matter, if either page has a security hole, it doesn't matter what page it sends its information to. Link to comment https://forums.phpfreaks.com/topic/244189-_serverphp_self/#findComment-1254070 Share on other sites More sharing options...
batstanggt Posted August 8, 2011 Author Share Posted August 8, 2011 True. But doesnt having the whole script on one single page basically just put it all out there on a silver platter lol? -SB Link to comment https://forums.phpfreaks.com/topic/244189-_serverphp_self/#findComment-1254072 Share on other sites More sharing options...
phpSensei Posted August 8, 2011 Share Posted August 8, 2011 Hi there, PHP runs on the server side, so the user can't see the code, so I don't see a problem here. Link to comment https://forums.phpfreaks.com/topic/244189-_serverphp_self/#findComment-1254077 Share on other sites More sharing options...
MasterACE14 Posted August 8, 2011 Share Posted August 8, 2011 better off having the action field empty '' instead of using $_SERVER['PHP_SELF']; why not to use PHP_SELF Link to comment https://forums.phpfreaks.com/topic/244189-_serverphp_self/#findComment-1254090 Share on other sites More sharing options...
phpSensei Posted August 8, 2011 Share Posted August 8, 2011 better off having the action field empty '' instead of using $_SERVER['PHP_SELF']; why not to use PHP_SELF The PHP_SELF element can in fact be altered by the user to include any kind of malicious XSS code he/she desires What an exagerated statement... You can simply filter the element. Link to comment https://forums.phpfreaks.com/topic/244189-_serverphp_self/#findComment-1254093 Share on other sites More sharing options...
MasterACE14 Posted August 8, 2011 Share Posted August 8, 2011 don't even need it at all is the point. Save some processing time. Link to comment https://forums.phpfreaks.com/topic/244189-_serverphp_self/#findComment-1254113 Share on other sites More sharing options...
Alex Posted August 8, 2011 Share Posted August 8, 2011 better off having the action field empty '' instead of using $_SERVER['PHP_SELF']; why not to use PHP_SELF The PHP_SELF element can in fact be altered by the user to include any kind of malicious XSS code he/she desires What an exagerated statement... You can simply filter the element. That's not exaggerated at all. It can be altered to include any malicious XSS code. Whether or not you sanitize it is a irrelevant, the statement says nothing about that. The whole point of it anyway is that people don't sanitize it and use it on form actions. Just leave it blank. Link to comment https://forums.phpfreaks.com/topic/244189-_serverphp_self/#findComment-1254116 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.