steviemac Posted January 3, 2012 Share Posted January 3, 2012 Hello, I am using <?=$PHP_SELF?> in a search form so it will stay on the same page. I have been advised that there are security risk to using that and that is is susceptible to sql injections and my database can be at risk. I have read about using the following code instead: htmlentities($_SERVER['PHP_SELF']) Is that more secure or are there other code that is more secure? Also could someone look at my database connection and see if there are any issues with it? <?php $db_host = "localhost"; $db_user = "user"; $db_pass = "password"; $db_name = "database"; function db_connect() { global $db_host; global $db_user; global $db_pass; global $db_name; $connection = mysql_connect($db_host,$db_user,$db_pass); if (!(mysql_select_db($db_name,$connection))) { echo "Could not connect to the database"; } return $connection; } // Connect to the database db_connect(); ?> Thank you for any help you can provide. Link to comment https://forums.phpfreaks.com/topic/254293-security-issues/ Share on other sites More sharing options...
scootstah Posted January 3, 2012 Share Posted January 3, 2012 $_SERVER['PHP_SELF'] is vulnerable to XSS attacks and really shouldn't be trusted ever. Also, if you are accessing it with $PHP_SELF that tells me that you have register_globals on, which is bad bad bad. Turn it off. Link to comment https://forums.phpfreaks.com/topic/254293-security-issues/#findComment-1303849 Share on other sites More sharing options...
PaulRyan Posted January 3, 2012 Share Posted January 3, 2012 Use the following to get the current file name. <?PHP echo basename($_SERVER['SCRIPT_FILENAME']);?> Regards, PaulRyan. Link to comment https://forums.phpfreaks.com/topic/254293-security-issues/#findComment-1303850 Share on other sites More sharing options...
steviemac Posted January 3, 2012 Author Share Posted January 3, 2012 OK I can turn off register_globals but I am not ser how to use this code. <?PHP echo basename($_SERVER['SCRIPT_FILENAME']);?> I am using the ($_SERVER['PHP_SELF']) in a search form <form action=" <?=$PHP_SELF?>" method="post" name="search" id="search" > that is used to search a database. Thanks for any further help. Link to comment https://forums.phpfreaks.com/topic/254293-security-issues/#findComment-1303860 Share on other sites More sharing options...
scootstah Posted January 3, 2012 Share Posted January 3, 2012 Just leave the action blank and the form will go to the current page, you don't need to use PHP_SELF here. Link to comment https://forums.phpfreaks.com/topic/254293-security-issues/#findComment-1303867 Share on other sites More sharing options...
PaulRyan Posted January 3, 2012 Share Posted January 3, 2012 Just replace "<?=$PHP_SELF;?>" <form action="<?PHP echo basename($_SERVER['SCRIPT_FILENAME']);?>" method="post" name="search" id="search" > Regrds, PaulRyan. Link to comment https://forums.phpfreaks.com/topic/254293-security-issues/#findComment-1303868 Share on other sites More sharing options...
steviemac Posted January 3, 2012 Author Share Posted January 3, 2012 OK Thanks for your help Link to comment https://forums.phpfreaks.com/topic/254293-security-issues/#findComment-1303874 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.