[PHP] $_SERVER['PHP_SELF'] Validation

Threaded Mode | Linear Mode

[PHP] $_SERVER['PHP_SELF'] Validation

Author Message

Xiao
Administrator

Posts: 2,988
Group: Administrators
Joined: Dec 2005
Status: Offline
Reputation: 1

Post: #1

[PHP] $_SERVER['PHP_SELF'] Validation

First: why would I want to validate PHP_SELF?

It's a server side value, so how could it be a security issue?
Wrong! It can be altered by the user for XSS (Cross Side Scripting).
A lot of people don't know this and would use this for example:

PHP Code:

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
  <!-- My Form -->
</form> 

An experienced hacker could abuse that and could enter this for example:
http://www.yoursite.com/form.php/%22%3E%3Cscript%3Ealert(’XSS attack!’)%3C/script%3E%3Cbr

In your script, that would like this:

PHP Code:

<form method="post" action="http://www.mysite.com/form.php/">
<script>alert('XSS attack!')</script><br>
  <!-- My Form -->
</form> 

Ofcourse, this example is harmless, but I'm sure you can think of many ways a hacker could use more harmfull input.

What can I do about it?

There are quite some articles about this on the internet, but they rarely give a solution, or say how you can validate PHP_SELF.
Well, here's a way:

PHP Code:

//Get the name of the file (form.php)
$phpself = basename(__FILE__);
//Get everything from start of PHP_SELF to where $phpself begins
//Cut that part out, and place $phpself after it
$_SERVER['PHP_SELF'] = substr($_SERVER['PHP_SELF'], 0, strpos($_SERVER['PHP_SELF'],
$phpself)) . $phpself;
//You've got a clean PHP_SELF again (y) 

I'm the only one around here that can ban people, what else do you need to know? Unsure

This post was last modified: 12-18-2007 01:58 PM by Xiao.

12-18-2007 01:57 PM

« Next Oldest | Next Newest »

View a Printable Version

Send this Thread to a Friend
Subscribe to thread

Subscribe to this Thread | Add to favourites

Add Thread to Favorites