Securing $_SERVER['PHP_SELF']

[spookztar]

Hi,

 

I have just been advised to secure the use of the mentioned server variable with strip_tags(). I have a log-in form that starts like this:

 

$loginform = "<form method='post' action={$_SERVER['PHP_SELF']}'>"

 

In order to be able to use PHP_SELF dynamically in the string, I had to wrap it in clamps {}. When I try to pop "strip tags()" in there as well, I can't get away with it without getting a syntaxial error. How do I do it without having to jump in and out of PHP-mode?

 

Another thing, instead of adding this change to all the forms on the site, couldn't one just put:

 

strip_tags($_SERVER['PHP_SELF']);

 

- or something similarly general, at the very top of the selfloading script containing all the forms? Wouldn't this just clean out any tags every time a pageload occurs?

 

Bye,

[revraz]

The entire action isn't even required if you are posting to itself.  Just remove it.

[spookztar]

???

 

Like this:

 

$loginform = "<form method='post'>"

[revraz]

Yep

[spookztar]

That's all good and well. But when PHP_SELF is only a part of a longer string, such as this:

 

$section = "<form action='{$_SERVER['PHP_SELF']}?sectionidentity=1' method='post'>

 

- then what?

[PFMaBiSmAd]

Just start at the ? -

 

action='?sectionidentity=1'

[spookztar]

Ok...? A bit... of a surprise at my end..

 

Does this mean that the use of PHP_SELF is outdated? In mean, In what situations do you use it then?

[Perad]

Ok...? A bit... of a surprise at my end..

 

Does this mean that the use of PHP_SELF is outdated? In mean, In what situations do you use it then?

 

It is helpful to find where one file is in relation to another.

[revraz]

Not sure if it's outdated, but it seems to work fine as long as you want to post to the same page.

[spookztar]

- which is basically the same as saying that the use of PHP_SELF is completely superfluous, as PHP_SELF is all about the iteration of posting to the same page.

 

Conclusion: Unless another pagename is specified in the form, PHP automatically performs a PHP_SELF iteration.

 

I whish the guy who helped me with the origin-example had known this..

 

Man...

 

Thanx for the responses by the way..

[PFMaBiSmAd]

PHP does not figure out the target of a form. The browser does.

[spookztar]

Ok apparently, as I suspected, it wasn't that easy. I now have a sequence that leads form form to form, through three tiers and when one is trying to progress to the last form in the chain, one is tossed back to the first tier unless PHP_SELF is used in the form tag. So I need an answer to the question original question anyway.

 

How do I get strip_tags() into -

$loginform = "<form method='post' action={$_SERVER['PHP_SELF']}'>"

- without violating rules of syntax?

 

[spookztar]

I got interrrupted by a time limit that disallowed me editing my last post to a more understandable size, so here goes again.

 

Ok. Apparently, as I suspected, it wasn't that easy. I now have a sequence that leads from form to form, through three tiers and when one is trying to progress to the last form in the chain, one is tossed back to the first tier unless PHP_SELF is used in the form tag of the form i tier two. So I need an answer to the original question anyway. It would also, as mentioned earlier, be a great thing if there was a way to sanitize all instances of PHP_SELF just once at the top of the script, whenever an iteration occurs as a result of using it.

[nikefido]

Use concatenation:

<?php
$loginform = "<form method='post' action='" . strip_tags($_SERVER['PHP_SELF']) . "'>";
?>

 

[spookztar]

Thanx. I just found another easy way to do it. Just put:

$safeself = strip_tags($_SERVER['PHP_SELF']);

- at the top of the script, and then do -

$loginform = "<form method='post' action='{$safeself}'>"

- in all places where the use of PHP_SELF is necessary.

 

Sometimes even the simplest solutions eludes you. Oh, the plight of the newbie

[Ken2k7]

Wouldn't the simplest solution to just exclude the action attribute?