doubledee Posted June 30, 2012 Share Posted June 30, 2012 I have a note here in my To-Do List that I am unsure what it means... If I have a Form that loads back onto itself, I have been using... <form id="changeEmail" action="" method="post"> My note to myself has... action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" ...and I am wondering if I'm supposed to replace the former with the latter?? Suggestions? Debbie Quote Link to comment Share on other sites More sharing options...
xyph Posted June 30, 2012 Share Posted June 30, 2012 No. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted June 30, 2012 Share Posted June 30, 2012 they both do the same thing i don't understand what the problem is. Quote Link to comment Share on other sites More sharing options...
doubledee Posted June 30, 2012 Author Share Posted June 30, 2012 No. Care to elaborate? It seems to me that some people have said that the second block of code is more *secure* because it prevents a hacker from injecting in a different Form name and routing my website to somewhere it shouldn't go... (But this note is like 4-6 months old, so my memory is foggy at best?!) Debbie Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted June 30, 2012 Share Posted June 30, 2012 that is more secure. using $_SERVER[script_name] over $_SERVER[php_self] Quote Link to comment Share on other sites More sharing options...
xyph Posted June 30, 2012 Share Posted June 30, 2012 Some people have said a lot of things. It's client-side behaviour. Why cite something you can't remember clearly? From what I'm reading now, the current HTML5 spec doesn't allow blank actions. Leave out the attribute entirely in that case. Quote Link to comment Share on other sites More sharing options...
doubledee Posted June 30, 2012 Author Share Posted June 30, 2012 Some people have said a lot of things. It's client-side behaviour. Why cite something you can't remember clearly? And I asked why you said leaving it blank was better than my second line of code. You must have your reasons? From what I'm reading now, the current HTML5 spec doesn't allow blank actions. Leave out the attribute entirely in that case. I'm using HTML4, so no worries there. Debbie Quote Link to comment Share on other sites More sharing options...
Philip Posted June 30, 2012 Share Posted June 30, 2012 It seems to me that some people have said that the second block of code is more *secure* because it prevents a hacker from injecting in a different Form name and routing my website to somewhere it shouldn't go... Logic check: if they can "add" a different form action, what is stopping them from editing the one that is already there. (hint: "adding" a different form action is the same as editing an existing one.) Quote Link to comment Share on other sites More sharing options...
doubledee Posted June 30, 2012 Author Share Posted June 30, 2012 It seems to me that some people have said that the second block of code is more *secure* because it prevents a hacker from injecting in a different Form name and routing my website to somewhere it shouldn't go... Logic check: if they can "add" a different form action, what is stopping them from editing the one that is already there. (hint: "adding" a different form action is the same as editing an existing one.) I suppose. So you are saying that having action="" is okay from a security standpoint? Debbie Quote Link to comment Share on other sites More sharing options...
Philip Posted June 30, 2012 Share Posted June 30, 2012 From a security standpoint it is the exact same as leaving it blank. Personally, I prefer to have it filled in. Quote Link to comment Share on other sites More sharing options...
doubledee Posted June 30, 2012 Author Share Posted June 30, 2012 From a security standpoint it is the exact same as leaving it blank. Personally, I prefer to have it filled in. So you like this... action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" If that is no better than being blank, then why do you prefer that? To me, it just adds more code to read... Debbie Quote Link to comment Share on other sites More sharing options...
Philip Posted June 30, 2012 Share Posted June 30, 2012 Yes, but I also like having all my attributes filled in. I'm OCD like that. (also the W3C specs technically say a URI is required. action %URI; #REQUIRED -- server-side form handler -- action = uri [CT] This attribute specifies a form processing agent. User agent behavior for a value other than an HTTP URI is undefined. Quote Link to comment Share on other sites More sharing options...
doubledee Posted June 30, 2012 Author Share Posted June 30, 2012 Yes, but I also like having all my attributes filled in. I'm OCD like that. (also the W3C specs technically say a URI is required. action %URI; #REQUIRED -- server-side form handler -- action = uri [CT] This attribute specifies a form processing agent. User agent behavior for a value other than an HTTP URI is undefined. Okay. Debbie Quote Link to comment Share on other sites More sharing options...
kicken Posted June 30, 2012 Share Posted June 30, 2012 The thing with echoing out $_SERVER['PHP_SELF'] is that someone can modify it's value to include data you don't intend to be there, possibly leaving you open to XSS attacks. If your going to echo it out then you should at least run it through htmlentities() like you would other user-defined values. Some people suggest using action="" because in HTML4, when the action is set to an empty URI, that is handled the same as setting it to the current page. In HTML5, this is not allowed however and if you specify an action it has to have a valid URI value. For HTML5 you can achieve the same behavior (submit-to-self) by just not including the action attribute. Quote Link to comment Share on other sites More sharing options...
doubledee Posted June 30, 2012 Author Share Posted June 30, 2012 The thing with echoing out $_SERVER['PHP_SELF'] is that someone can modify it's value to include data you don't intend to be there, possibly leaving you open to XSS attacks. If your going to echo it out then you should at least run it through htmlentities() like you would other user-defined values. Some people suggest using action="" because in HTML4, when the action is set to an empty URI, that is handled the same as setting it to the current page. In HTML5, this is not allowed however and if you specify an action it has to have a valid URI value. For HTML5 you can achieve the same behavior (submit-to-self) by just not including the action attribute. Using $_SERVER['PHP_SELF'] is a bad idea and a well-documented way for someone to hack your system. Again, it seems to be that people have said that it is possible to insert an unwanted value in a blank action="" similar to using $_SERVER['PHP_SELF'], but I wasn't sure. I do not plan on using HTML5 anytime soon, so I'll cross that bridge later. Debbie Quote Link to comment Share on other sites More sharing options...
kicken Posted June 30, 2012 Share Posted June 30, 2012 Guess I didn't read close enough to notice you used SCRIPT_NAME rather than PHP_SELF. My bad there. Again, it seems to be that people have said that it is possible to insert an unwanted value in a blank action="" similar to using $_SERVER['PHP_SELF'], but I wasn't sure. A person can always modify your action attribute once they have the page in their browser, it doesn't matter if you fill it in, leave it blank, or leave it out all together. All they have to do is either save the file, change the html, and then open it locally, or use one of the many browser development tools such as firebug or chrome's console to edit the HTML on-the-fly. Quote Link to comment Share on other sites More sharing options...
Philip Posted July 1, 2012 Share Posted July 1, 2012 Guess I didn't read close enough to notice you used SCRIPT_NAME rather than PHP_SELF. My bad there. Same here. Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 2, 2012 Share Posted July 2, 2012 Again, it seems to be that people have said that it is possible to insert an unwanted value in a blank action="" similar to using $_SERVER['PHP_SELF'], but I wasn't sure. They can, but it is not the same as $_SERVER['PHP_SELF']. If you use $_SERVER['PHP_SELF'], people can add data to the URI which would then show up in the action,; ergo an XSS attack. However if someone modifies the action attribute, they are the only ones that are going to see it - it's not possible to effect anyone else that way. I don't really like $_SERVER['SCRIPT_NAME'] either though, since it disregards query strings. So my opinion is that you should either use a reliable way to get the current URI or leave the action blank/omit it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.