Jump to content

Question about Form calling itself

doubledee

By doubledee
in Application Design

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

I have a note here in my To-Do List that I am unsure what it means...

 

If I have a Form that loads back onto itself, I have been using...

 

<form id="changeEmail" action="" method="post">

 

 

My note to myself has...

 

action="<?php echo $_SERVER['SCRIPT_NAME']; ?>"

 

...and I am wondering if I'm supposed to replace the former with the latter??  :shrug:

 

Suggestions?

 

 

Debbie

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/265017-question-about-form-calling-itself/
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

No.

 

Care to elaborate?

 

It seems to me that some people have said that the second block of code is more *secure* because it prevents a hacker from injecting in a different Form name and routing my website to somewhere it shouldn't go...  (But this note is like 4-6 months old, so my memory is foggy at best?!)

 

 

Debbie

 

xyph Advanced Member

xyph

Posted
Posted

Some people have said a lot of things. It's client-side behaviour. Why cite something you can't remember clearly?

 

From what I'm reading now, the current HTML5 spec doesn't allow blank actions. Leave out the attribute entirely in that case.

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Some people have said a lot of things. It's client-side behaviour. Why cite something you can't remember clearly?

 

And I asked why you said leaving it blank was better than my second line of code.

 

You must have your reasons?

 

 

From what I'm reading now, the current HTML5 spec doesn't allow blank actions. Leave out the attribute entirely in that case.

 

I'm using HTML4, so no worries there.

 

 

Debbie

 

 

Philip Advanced Member

Philip

Posted
Posted
It seems to me that some people have said that the second block of code is more *secure* because it prevents a hacker from injecting in a different Form name and routing my website to somewhere it shouldn't go... 

Logic check: if they can "add" a different form action, what is stopping them from editing the one that is already there. (hint: "adding" a different form action is the same as editing an existing one.)

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

It seems to me that some people have said that the second block of code is more *secure* because it prevents a hacker from injecting in a different Form name and routing my website to somewhere it shouldn't go... 

Logic check: if they can "add" a different form action, what is stopping them from editing the one that is already there. (hint: "adding" a different form action is the same as editing an existing one.)

 

I suppose.

 

So you are saying that having action="" is okay from a security standpoint?

 

 

Debbie

 

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

From a security standpoint it is the exact same as leaving it blank. Personally, I prefer to have it filled in.

 

So you like this...

 

action="<?php echo $_SERVER['SCRIPT_NAME']; ?>"

 

 

If that is no better than being blank, then why do you prefer that?

 

To me, it just adds more code to read...

 

 

Debbie

 

 

Philip Advanced Member

Philip

Posted
Posted

Yes, but I also like having all my attributes filled in. I'm OCD like that. (also the W3C specs technically say a URI is required.

 

action      %URI;          #REQUIRED -- server-side form handler --

action = uri [CT]

This attribute specifies a form processing agent. User agent behavior for a value other than an HTTP URI is undefined.

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Yes, but I also like having all my attributes filled in. I'm OCD like that. (also the W3C specs technically say a URI is required.

 

action      %URI;          #REQUIRED -- server-side form handler --

action = uri [CT]

This attribute specifies a form processing agent. User agent behavior for a value other than an HTTP URI is undefined.

 

Okay.

 

 

Debbie

 

kicken Prolific Member

kicken

Posted
Posted

The thing with echoing out $_SERVER['PHP_SELF'] is that someone can modify it's value to include data you don't intend to be there, possibly leaving you open to XSS attacks.  If your going to echo it out then you should at least run it through htmlentities() like you would other user-defined values.

 

Some people suggest using action="" because in HTML4, when the action is set to an empty URI, that is handled the same as setting it to the current page.  In HTML5, this is not allowed however and if you specify an action it has to have a valid URI value.  For HTML5 you can achieve the same behavior (submit-to-self) by just not including the action attribute.

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

The thing with echoing out $_SERVER['PHP_SELF'] is that someone can modify it's value to include data you don't intend to be there, possibly leaving you open to XSS attacks.  If your going to echo it out then you should at least run it through htmlentities() like you would other user-defined values.

 

Some people suggest using action="" because in HTML4, when the action is set to an empty URI, that is handled the same as setting it to the current page.  In HTML5, this is not allowed however and if you specify an action it has to have a valid URI value.  For HTML5 you can achieve the same behavior (submit-to-self) by just not including the action attribute.

 

Using $_SERVER['PHP_SELF'] is a bad idea and a well-documented way for someone to hack your system.

 

Again, it seems to be that people have said that it is possible to insert an unwanted value in a blank action="" similar to using $_SERVER['PHP_SELF'], but I wasn't sure.

 

I do not plan on using HTML5 anytime soon, so I'll cross that bridge later.

 

 

Debbie

 

kicken Prolific Member

kicken

Posted
Posted

Guess I didn't read close enough to notice you used SCRIPT_NAME rather than PHP_SELF.  My bad there.

 

Again, it seems to be that people have said that it is possible to insert an unwanted value in a blank action="" similar to using $_SERVER['PHP_SELF'], but I wasn't sure.

 

A person can always modify your action attribute once they have the page in their browser, it doesn't matter if you fill it in, leave it blank, or leave it out all together.  All they have to do is either save the file, change the html, and then open it locally, or use one of the many browser development tools such as firebug or chrome's console to edit the HTML on-the-fly.

scootstah Member

scootstah

Posted
Posted

Again, it seems to be that people have said that it is possible to insert an unwanted value in a blank action="" similar to using $_SERVER['PHP_SELF'], but I wasn't sure.

 

They can, but it is not the same as $_SERVER['PHP_SELF']. If you use $_SERVER['PHP_SELF'], people can add data to the URI which would then show up in the action,; ergo an XSS attack.

 

However if someone modifies the action attribute, they are the only ones that are going to see it - it's not possible to effect anyone else that way.

 

I don't really like $_SERVER['SCRIPT_NAME'] either though, since it disregards query strings. So my opinion is that you should either use a reliable way to get the current URI or leave the action blank/omit it.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.