Jump to content

Securing $_SERVER['PHP_SELF']

spookztar

By spookztar
in PHP Coding Help

 Share

Recommended Posts

spookztar Newbie

spookztar

Posted
Posted

Hi,

 

I have just been advised to secure the use of the mentioned server variable with strip_tags(). I have a log-in form that starts like this:

 

$loginform = "<form method='post' action={$_SERVER['PHP_SELF']}'>"

 

In order to be able to use PHP_SELF dynamically in the string, I had to wrap it in clamps {}. When I try to pop "strip tags()" in there as well, I can't get away with it without getting a syntaxial error. How do I do it without having to jump in and out of PHP-mode?

 

Another thing, instead of adding this change to all the forms on the site, couldn't one just put:

 

strip_tags($_SERVER['PHP_SELF']);

 

- or something similarly general, at the very top of the selfloading script containing all the forms? Wouldn't this just clean out any tags every time a pageload occurs?

 

Bye,

Link to comment
https://forums.phpfreaks.com/topic/85993-securing-_serverphp_self/
Share on other sites
spookztar Newbie

spookztar

Posted
  • Author
Posted

- which is basically the same as saying that the use of PHP_SELF is completely superfluous, as PHP_SELF is all about the iteration of posting to the same page.

 

Conclusion: Unless another pagename is specified in the form, PHP automatically performs a PHP_SELF iteration.

 

I whish the guy who helped me with the origin-example had known this..

 

Man...

 

Thanx for the responses by the way.. :)

spookztar Newbie

spookztar

Posted
  • Author
Posted

Ok apparently, as I suspected, it wasn't that easy. I now have a sequence that leads form form to form, through three tiers and when one is trying to progress to the last form in the chain, one is tossed back to the first tier unless PHP_SELF is used in the form tag. So I need an answer to the question original question anyway.

 

How do I get strip_tags() into -

$loginform = "<form method='post' action={$_SERVER['PHP_SELF']}'>"

- without violating rules of syntax?

 

spookztar Newbie

spookztar

Posted
  • Author
Posted

I got interrrupted by a time limit that disallowed me editing my last post to a more understandable size, so here goes again.

 

Ok. Apparently, as I suspected, it wasn't that easy. I now have a sequence that leads from form to form, through three tiers and when one is trying to progress to the last form in the chain, one is tossed back to the first tier unless PHP_SELF is used in the form tag of the form i tier two. So I need an answer to the original question anyway. It would also, as mentioned earlier, be a great thing if there was a way to sanitize all instances of PHP_SELF just once at the top of the script, whenever an iteration occurs as a result of using it.

spookztar Newbie

spookztar

Posted
  • Author
Posted

Thanx. I just found another easy way to do it. Just put:

$safeself = strip_tags($_SERVER['PHP_SELF']);

- at the top of the script, and then do -

$loginform = "<form method='post' action='{$safeself}'>"

- in all places where the use of PHP_SELF is necessary.

 

Sometimes even the simplest solutions eludes you. Oh, the plight of the newbie ;)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.