spookztar Posted January 14, 2008 Share Posted January 14, 2008 Hi, I have just been advised to secure the use of the mentioned server variable with strip_tags(). I have a log-in form that starts like this: $loginform = "<form method='post' action={$_SERVER['PHP_SELF']}'>" In order to be able to use PHP_SELF dynamically in the string, I had to wrap it in clamps {}. When I try to pop "strip tags()" in there as well, I can't get away with it without getting a syntaxial error. How do I do it without having to jump in and out of PHP-mode? Another thing, instead of adding this change to all the forms on the site, couldn't one just put: strip_tags($_SERVER['PHP_SELF']); - or something similarly general, at the very top of the selfloading script containing all the forms? Wouldn't this just clean out any tags every time a pageload occurs? Bye, Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/ Share on other sites More sharing options...
revraz Posted January 14, 2008 Share Posted January 14, 2008 The entire action isn't even required if you are posting to itself. Just remove it. Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-439126 Share on other sites More sharing options...
spookztar Posted January 14, 2008 Author Share Posted January 14, 2008 ??? Like this: $loginform = "<form method='post'>" Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-439128 Share on other sites More sharing options...
revraz Posted January 14, 2008 Share Posted January 14, 2008 Yep Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-439140 Share on other sites More sharing options...
spookztar Posted January 14, 2008 Author Share Posted January 14, 2008 That's all good and well. But when PHP_SELF is only a part of a longer string, such as this: $section = "<form action='{$_SERVER['PHP_SELF']}?sectionidentity=1' method='post'> - then what? Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-439148 Share on other sites More sharing options...
PFMaBiSmAd Posted January 14, 2008 Share Posted January 14, 2008 Just start at the ? - action='?sectionidentity=1' Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-439153 Share on other sites More sharing options...
spookztar Posted January 14, 2008 Author Share Posted January 14, 2008 Ok...? A bit... of a surprise at my end.. Does this mean that the use of PHP_SELF is outdated? In mean, In what situations do you use it then? Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-439157 Share on other sites More sharing options...
Perad Posted January 14, 2008 Share Posted January 14, 2008 Ok...? A bit... of a surprise at my end.. Does this mean that the use of PHP_SELF is outdated? In mean, In what situations do you use it then? It is helpful to find where one file is in relation to another. Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-439164 Share on other sites More sharing options...
revraz Posted January 14, 2008 Share Posted January 14, 2008 Not sure if it's outdated, but it seems to work fine as long as you want to post to the same page. Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-439165 Share on other sites More sharing options...
spookztar Posted January 14, 2008 Author Share Posted January 14, 2008 - which is basically the same as saying that the use of PHP_SELF is completely superfluous, as PHP_SELF is all about the iteration of posting to the same page. Conclusion: Unless another pagename is specified in the form, PHP automatically performs a PHP_SELF iteration. I whish the guy who helped me with the origin-example had known this.. Man... Thanx for the responses by the way.. Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-439174 Share on other sites More sharing options...
PFMaBiSmAd Posted January 14, 2008 Share Posted January 14, 2008 PHP does not figure out the target of a form. The browser does. Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-439190 Share on other sites More sharing options...
spookztar Posted January 16, 2008 Author Share Posted January 16, 2008 Ok apparently, as I suspected, it wasn't that easy. I now have a sequence that leads form form to form, through three tiers and when one is trying to progress to the last form in the chain, one is tossed back to the first tier unless PHP_SELF is used in the form tag. So I need an answer to the question original question anyway. How do I get strip_tags() into - $loginform = "<form method='post' action={$_SERVER['PHP_SELF']}'>" - without violating rules of syntax? Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-441243 Share on other sites More sharing options...
spookztar Posted January 16, 2008 Author Share Posted January 16, 2008 I got interrrupted by a time limit that disallowed me editing my last post to a more understandable size, so here goes again. Ok. Apparently, as I suspected, it wasn't that easy. I now have a sequence that leads from form to form, through three tiers and when one is trying to progress to the last form in the chain, one is tossed back to the first tier unless PHP_SELF is used in the form tag of the form i tier two. So I need an answer to the original question anyway. It would also, as mentioned earlier, be a great thing if there was a way to sanitize all instances of PHP_SELF just once at the top of the script, whenever an iteration occurs as a result of using it. Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-441247 Share on other sites More sharing options...
nikefido Posted January 16, 2008 Share Posted January 16, 2008 Use concatenation: <?php $loginform = "<form method='post' action='" . strip_tags($_SERVER['PHP_SELF']) . "'>"; ?> Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-441251 Share on other sites More sharing options...
spookztar Posted January 16, 2008 Author Share Posted January 16, 2008 Thanx. I just found another easy way to do it. Just put: $safeself = strip_tags($_SERVER['PHP_SELF']); - at the top of the script, and then do - $loginform = "<form method='post' action='{$safeself}'>" - in all places where the use of PHP_SELF is necessary. Sometimes even the simplest solutions eludes you. Oh, the plight of the newbie Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-441282 Share on other sites More sharing options...
Ken2k7 Posted January 16, 2008 Share Posted January 16, 2008 Wouldn't the simplest solution to just exclude the action attribute? Link to comment https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/#findComment-441290 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.