Hi,
I read something about PHP_SELF possibly issuing security flaws, since
requesting... http://www.mydomain.com/thescript.php/bogus
....would output '/thescript.php/bogus' if PHP_SELF is issued in
thescript.php
Can't seem to find the article anymore though.
What would be a good workaround for this?
__FILE__ isn't an option here cause I would like to issue PHP_SELF / your
suggestion in a class that is included in thescript.php
Is there no native PHP variable that returns the pure filename (no path, no
querystring, no trailing user input, etc.) ?
Thanks a bunch. 5  4759 
"amygdala" <no*****@norepl y.comschreef in bericht
news:44******** **************@ news.kpnplanet. nl...
Hi,
I read something about PHP_SELF possibly issuing security flaws, since
requesting...
http://www.mydomain.com/thescript.php/bogus
...would output '/thescript.php/bogus' if PHP_SELF is issued in
thescript.php
Can't seem to find the article anymore though.
What would be a good workaround for this?
__FILE__ isn't an option here cause I would like to issue PHP_SELF / your
suggestion in a class that is included in thescript.php
Is there no native PHP variable that returns the pure filename (no path,
no querystring, no trailing user input, etc.) ?
Thanks a bunch.
I think I found it already:
$_SERVER[ 'SCRIPT_NAME' ]
Seems to work.
Still, if somebody cares to elaborate on the subject: I'm curious what kind
of security issues could show up when using these kinds of variables. Is
$_SERVER[ 'SCRIPT_NAME' ] secure? Much appreciated.
amygdala wrote:
"amygdala" <no*****@norepl y.comschreef in bericht
news:44******** **************@ news.kpnplanet. nl...
Hi,
I read something about PHP_SELF possibly issuing security flaws, since
requesting...
http://www.mydomain.com/thescript.php/bogus
...would output '/thescript.php/bogus' if PHP_SELF is issued in
thescript.php
Can't seem to find the article anymore though.
What would be a good workaround for this?
__FILE__ isn't an option here cause I would like to issue PHP_SELF / your
suggestion in a class that is included in thescript.php
Is there no native PHP variable that returns the pure filename (no path,
no querystring, no trailing user input, etc.) ?
Thanks a bunch.
I think I found it already:
$_SERVER[ 'SCRIPT_NAME' ]
Seems to work.
Still, if somebody cares to elaborate on the subject: I'm curious what kind
of security issues could show up when using these kinds of variables. Is
$_SERVER[ 'SCRIPT_NAME' ] secure? Much appreciated.
Yeah I read about the PHP_SELF problem recently too , the links below
cover the topic better than I can. http://blog.phpdoc.info/archives/13-guid.html http://www-03.ibm.com/developerworks...ver_trust_user
The second page mentions that all variables in $_SERVER which begins
with HTTP (HTTP_REFERER, HTTP_HOST etc) can be easily spoofed.
Regards,
Tim
"Tim Hunt" <ti********@gma il.comschreef in bericht
news:11******** **************@ b28g2000cwb.goo glegroups.com.. .
>
amygdala wrote:
>"amygdala" <no*****@norepl y.comschreef in bericht
news:44******* *************** @news.kpnplanet .nl...
Hi,
I read something about PHP_SELF possibly issuing security flaws, since
requesting...
http://www.mydomain.com/thescript.php/bogus
...would output '/thescript.php/bogus' if PHP_SELF is issued in
thescript.php
Can't seem to find the article anymore though.
What would be a good workaround for this?
__FILE__ isn't an option here cause I would like to issue PHP_SELF /
your
suggestion in a class that is included in thescript.php
Is there no native PHP variable that returns the pure filename (no
path,
no querystring, no trailing user input, etc.) ?
Thanks a bunch.
I think I found it already:
$_SERVER[ 'SCRIPT_NAME' ]
Seems to work.
Still, if somebody cares to elaborate on the subject: I'm curious what
kind
of security issues could show up when using these kinds of variables. Is
$_SERVER[ 'SCRIPT_NAME' ] secure? Much appreciated.
Yeah I read about the PHP_SELF problem recently too , the links below
cover the topic better than I can.
http://blog.phpdoc.info/archives/13-guid.html
http://www-03.ibm.com/developerworks...ver_trust_user
The second page mentions that all variables in $_SERVER which begins
with HTTP (HTTP_REFERER, HTTP_HOST etc) can be easily spoofed.
Regards,
Tim
Thanks for those links. Good stuff.
The correct way to get the php file is:
$_SERVER['PHP_SELF'] -- No security vulns. as per my knowledge.
Hope this helps, -Rob
amygdala wrote:
"amygdala" <no*****@norepl y.comschreef in bericht
news:44******** **************@ news.kpnplanet. nl...
Hi,
I read something about PHP_SELF possibly issuing security flaws, since
requesting...
http://www.mydomain.com/thescript.php/bogus
...would output '/thescript.php/bogus' if PHP_SELF is issued in
thescript.php
Can't seem to find the article anymore though.
What would be a good workaround for this?
__FILE__ isn't an option here cause I would like to issue PHP_SELF / your
suggestion in a class that is included in thescript.php
Is there no native PHP variable that returns the pure filename (no path,
no querystring, no trailing user input, etc.) ?
Thanks a bunch.
I think I found it already:
$_SERVER[ 'SCRIPT_NAME' ]
Seems to work.
Still, if somebody cares to elaborate on the subject: I'm curious what kind
of security issues could show up when using these kinds of variables. Is
$_SERVER[ 'SCRIPT_NAME' ] secure? Much appreciated.
Robert wrote:
The correct way to get the php file is:
$_SERVER['PHP_SELF'] -- No security vulns. as per my knowledge.
<snip>
Read the thread above. The security issue was a big noise sometimes
ago; until that time, I was using $_SERVER['PHP_SELF']; but now using
$_SERVER['SCRIPT_NAME']
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Chris Pomasl |
last post by:
Does no one have any insight?......please?
Chris
-------- Original Message --------
Subject: Problem with __FILE__ magic constant
Date: Tue, 06 Jan 2004 16:43:41 GMT
From: Chris Pomasl <pomaslNOSPAM@starband.net>
Organization: Starband Communications
Newsgroups: comp.lang.php
|
by: knoak |
last post by:
Hi there,
I know the code $PHP_SELF to find out
the name of a file itself. Only if you
include a file with $PHP_SELF in it, it takes
the name of the parent-file.
How do i get the name of the actual file...
Hope this is clear enough.
|
by: Maja |
last post by:
here's situation:
i have installed php 5 and apache 2.0.
i can call my page with:
localhost\\subdir\page.php
inside my page i use links like this:
|
by: Don |
last post by:
What's the PHP equivalent for the following?
if(window.location == "http:/site.com/page1.html")
{
}
else
{
}
|
by: Michael Brennan-White |
last post by:
If I submit my for using a get action the resulting page loads . If I
use a post action I get an error page saying "The page cannot be
found". I am calling the originating page!!! This happens in IE as
well as FireFox.
This code has been tested on a Win2003 server, IIS6, PHP 5.0.3, mySQL
4.1.8 and it works fine.
The problem server is a Win2k server, IIS5, PHP 5.0.4, mySQL 4.1.11.
| | |
by: qazmlp |
last post by:
How exactly __FILE__ and __LINE__ macros are defined? Or, Is the
definition of these macros implementation dependent ?
I am wondering how easily they can get the file name and line number
respectively.
|
by: Lukas Ruf |
last post by:
Dear all,
for debugging purposes, I like the pre-compiler macros
__FILE__, __FUNCTION__, __LINE__
I have been wondering if there is a short form of __FILE__ that
provides only the filename without path.
I am using gcc as available in Debian unstable:
|
by: Jim Carlock |
last post by:
Are the XSS / Cross Site Scripting attacks fixed in Version 4.44?
I'm seeing that $_SERVER doesn't return the
$_SERVER appended to it.
I was just messing with a few things and noticed that PHP_SELF
returns only the page name now and without the $_GET query...
http://blog.phpdoc.info/archives/13-XSS-Woes.html
|
by: 7stud |
last post by:
Hi,
I'm having trouble understanding what the definition of __file__ is.
With this program:
------
#data.py:
def show():
print __file__
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
