naked htmlentities not safe enough for $_SERVER['php_self']?

[stijn0713]

according to: http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/

 

a naked htmlentities not safe enough for $_SERVER['php_self']...

 

what should i do then? I remember having read something with dynamically building the current path but i can't seem to find the article anymore.

[MMDE]

Why do you need $_SERVER['php_self']?

[darkfreaks]

$_SERVER[php_SELF] is a security risk

 

if you are using it in your form action use bloginfo('home')     

 

 

 

[Christian F.]

This might be of help, if you really need $_SERVER['PHP_SELF'].

[scootstah]

I think the article you linked gives plenty of information for what you should do.

Here are my two rules regarding $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] in forms:

• Do not use them
  
• If you use one of them, escape it with esc_url()
  

 

Most uses of $_SERVER['PHP_SELF'] and $_SERVER['REQUEST_URI'] are in HTML forms. If you want the action attribute to point to the current URL, leave it blank. URI references that are blank point to the current resource.

[stijn0713]

i'm not using it in a wordpress environment... and nor do i possess the files of wordpress to copy their escape functions... i could ofcourse find it but i asked it because i thought there must be a best practice for it... (which probably won't be just copy wordpresss).

 

I'm using $_SERVER['php_self'] to send it along to the login page for use in SESSION['prev_url']... so not in a form action element.

 

 

[stijn0713]

@Christian,

 

thanks for the snippet you refer too!

 

Anyway, I've seen quite a few posts here where people have used $_SERVER['PHP_SELF'] and gotten told to never do this, due to the HTML injection risk it carries with it.

While I do agree with the statement that PHP_SELF is unnecessary in most cases, there are situations where it's very useful.

 

could you tell me which case php_self i shouldn't or should need to use it and what the alternatives are? Is there an alternative in the case i use it for, namely to send along to the login page?

[scootstah]

Is there an alternative in the case i use it for, namely to send along to the login page?

 

The alternative is to define the base URL somewhere (like a config file) and then building it for your pages with a function. You could build another function that retrieves the URL or specific segments.

 

Here's an example.

<?php

// define the base url
define('BASE_URL', 'http://example.com');

function build_url($params = array())
{
$query = !empty($params) ? '?' . http_build_query($params) : '';

return BASE_URL . '/' . $query;
}

function get_url_segment($index = null)
{
$segments = array();

if (!empty($_SERVER['QUERY_STRING'])) {
	parse_str($_SERVER['QUERY_STRING'], $query_string);

	// loop through the query string
	// sanitize the key and value		
	foreach($query_string as $key => $val)
	{
		// remove illegal characters
		$key = preg_replace('/[^a-z0-9_]/i', '', $key);

		// replace illegal characters with _
		$val = preg_replace('/[^a-z0-9_\-+]/i', '_', $val);

		// remove duplicated _
		$val = preg_replace('/_{2,}/', '_', $val);	

		// add to the segments array
		$segments[$key] = $val;
	}
}

// no index? return everything
if (is_null($index)) {
	return $segments;
}

return isset($segments[$index]) ? $segments[$index] : null;
}

function current_url()
{
$segments = get_url_segment();

return build_url($segments);
}

 

With these functions, you can now do things like:

<?php

echo '<a href="' . build_url(array('foo' => 'bar', 'bar' => 'foobar')) . '">Link</a>'; // http://example.com/?foo=bar&bar=foobar

echo get_url_segment('foo'); // bar
echo get_url_segment('bar'); // foobar

echo current_url(); // http://example.com/?foo=bar&bar=foobar

[stijn0713]

I will study that thanks !

[MMDE]

You could also just completely avoid the problem. Write the login into all pages, if that makes any sense. I think someone else could explain this better than me.