Member Avatar for Clanstrom

I just saw a tutorial on a PHP site, and saw the super global $_SERVER['SERVER_SELF'] getting sanitized with htmlspecialchars. Us there any use for this? If you submit a post that has form action="$_SERVER['SERVER_SELF']" what difference does it make what the url is set when submitting a form, because the browser will only submit to the url

  • 3 Contributors
  • 5 Replies
  • 315 Views
  • 1 Hour Discussion Span
  • Latest Post Latest Post by LastMitch

Recommended Answers

All 5 Replies

Member Avatar for Clanstrom

Sorry I meant $_SERVER["PHP_SELF"]

Member Avatar for diafol

It's to avoid XSS.
When it's used in a form action:

<form action="<?php echo $_SERVER['PHP_SELF'];?>" ...>

It's vulnerable to XSS as an user could go to your form page and add some js in the url, e.g.

http://www.example.com/myform.php/%22%3E%3Cscript%3Ealert('youFOOL')%3C/script%3E ...

This would be translated to something like:

<form action="myform.php" ... />
<script>alert('youFOOL')</script> ...

Now that may be pretty harmless, but it can be made to run files from another server.

So you use htmlentities() to sanitize it.

Member Avatar for Clanstrom

But it is imposssible to manupilate the url on the fly. because, when you press post, the browser can only submit into the un-modified version of the url rather than the modified.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.