Hi,
I read something about PHP_SELF possibly issuing security flaws, since
requesting... http://www.mydomain.com/thescript.php/bogus
....would output '/thescript.php/bogus' if PHP_SELF is issued in
thescript.php
Can't seem to find the article anymore though.
What would be a good workaround for this?
__FILE__ isn't an option here cause I would like to issue PHP_SELF / your
suggestion in a class that is included in thescript.php
Is there no native PHP variable that returns the pure filename (no path, no
querystring, no trailing user input, etc.) ?
Thanks a bunch. 5  4738 
"amygdala" <no*****@noreply.comschreef in bericht
news:44**********************@news.kpnplanet.nl...
Hi,
I read something about PHP_SELF possibly issuing security flaws, since
requesting...
http://www.mydomain.com/thescript.php/bogus
...would output '/thescript.php/bogus' if PHP_SELF is issued in
thescript.php
Can't seem to find the article anymore though.
What would be a good workaround for this?
__FILE__ isn't an option here cause I would like to issue PHP_SELF / your
suggestion in a class that is included in thescript.php
Is there no native PHP variable that returns the pure filename (no path,
no querystring, no trailing user input, etc.) ?
Thanks a bunch.
I think I found it already:
$_SERVER[ 'SCRIPT_NAME' ]
Seems to work.
Still, if somebody cares to elaborate on the subject: I'm curious what kind
of security issues could show up when using these kinds of variables. Is
$_SERVER[ 'SCRIPT_NAME' ] secure? Much appreciated.
amygdala wrote:
"amygdala" <no*****@noreply.comschreef in bericht
news:44**********************@news.kpnplanet.nl...
Hi,
I read something about PHP_SELF possibly issuing security flaws, since
requesting...
http://www.mydomain.com/thescript.php/bogus
...would output '/thescript.php/bogus' if PHP_SELF is issued in
thescript.php
Can't seem to find the article anymore though.
What would be a good workaround for this?
__FILE__ isn't an option here cause I would like to issue PHP_SELF / your
suggestion in a class that is included in thescript.php
Is there no native PHP variable that returns the pure filename (no path,
no querystring, no trailing user input, etc.) ?
Thanks a bunch.
I think I found it already:
$_SERVER[ 'SCRIPT_NAME' ]
Seems to work.
Still, if somebody cares to elaborate on the subject: I'm curious what kind
of security issues could show up when using these kinds of variables. Is
$_SERVER[ 'SCRIPT_NAME' ] secure? Much appreciated.
Yeah I read about the PHP_SELF problem recently too , the links below
cover the topic better than I can. http://blog.phpdoc.info/archives/13-guid.html http://www-03.ibm.com/developerworks...ver_trust_user
The second page mentions that all variables in $_SERVER which begins
with HTTP (HTTP_REFERER, HTTP_HOST etc) can be easily spoofed.
Regards,
Tim
"Tim Hunt" <ti********@gmail.comschreef in bericht
news:11**********************@b28g2000cwb.googlegr oups.com...
>
amygdala wrote:
>"amygdala" <no*****@noreply.comschreef in bericht
news:44**********************@news.kpnplanet.nl.. .
Hi,
I read something about PHP_SELF possibly issuing security flaws, since
requesting...
http://www.mydomain.com/thescript.php/bogus
...would output '/thescript.php/bogus' if PHP_SELF is issued in
thescript.php
Can't seem to find the article anymore though.
What would be a good workaround for this?
__FILE__ isn't an option here cause I would like to issue PHP_SELF /
your
suggestion in a class that is included in thescript.php
Is there no native PHP variable that returns the pure filename (no
path,
no querystring, no trailing user input, etc.) ?
Thanks a bunch.
I think I found it already:
$_SERVER[ 'SCRIPT_NAME' ]
Seems to work.
Still, if somebody cares to elaborate on the subject: I'm curious what
kind
of security issues could show up when using these kinds of variables. Is
$_SERVER[ 'SCRIPT_NAME' ] secure? Much appreciated.
Yeah I read about the PHP_SELF problem recently too , the links below
cover the topic better than I can.
http://blog.phpdoc.info/archives/13-guid.html
http://www-03.ibm.com/developerworks...ver_trust_user
The second page mentions that all variables in $_SERVER which begins
with HTTP (HTTP_REFERER, HTTP_HOST etc) can be easily spoofed.
Regards,
Tim
Thanks for those links. Good stuff.
The correct way to get the php file is:
$_SERVER['PHP_SELF'] -- No security vulns. as per my knowledge.
Hope this helps, -Rob
amygdala wrote:
"amygdala" <no*****@noreply.comschreef in bericht
news:44**********************@news.kpnplanet.nl...
Hi,
I read something about PHP_SELF possibly issuing security flaws, since
requesting...
http://www.mydomain.com/thescript.php/bogus
...would output '/thescript.php/bogus' if PHP_SELF is issued in
thescript.php
Can't seem to find the article anymore though.
What would be a good workaround for this?
__FILE__ isn't an option here cause I would like to issue PHP_SELF / your
suggestion in a class that is included in thescript.php
Is there no native PHP variable that returns the pure filename (no path,
no querystring, no trailing user input, etc.) ?
Thanks a bunch.
I think I found it already:
$_SERVER[ 'SCRIPT_NAME' ]
Seems to work.
Still, if somebody cares to elaborate on the subject: I'm curious what kind
of security issues could show up when using these kinds of variables. Is
$_SERVER[ 'SCRIPT_NAME' ] secure? Much appreciated.
Robert wrote:
The correct way to get the php file is:
$_SERVER['PHP_SELF'] -- No security vulns. as per my knowledge.
<snip>
Read the thread above. The security issue was a big noise sometimes
ago; until that time, I was using $_SERVER['PHP_SELF']; but now using
$_SERVER['SCRIPT_NAME']
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Chris Pomasl |
last post by:
Does no one have any insight?......please?
Chris
-------- Original Message --------
Subject: Problem with __FILE__ magic constant
Date: Tue, 06 Jan 2004 16:43:41 GMT
From: Chris Pomasl...
|
by: knoak |
last post by:
Hi there,
I know the code $PHP_SELF to find out
the name of a file itself. Only if you
include a file with $PHP_SELF in it, it takes
the name of the parent-file.
How do i get the name of the...
|
by: Maja |
last post by:
here's situation:
i have installed php 5 and apache 2.0.
i can call my page with:
localhost\\subdir\page.php
inside my page i use links like this:
|
by: Don |
last post by:
What's the PHP equivalent for the following?
if(window.location == "http:/site.com/page1.html")
{
}
else
{
}
|
by: Michael Brennan-White |
last post by:
If I submit my for using a get action the resulting page loads . If I
use a post action I get an error page saying "The page cannot be
found". I am calling the originating page!!! This happens...
|
by: qazmlp |
last post by:
How exactly __FILE__ and __LINE__ macros are defined? Or, Is the
definition of these macros implementation dependent ?
I am wondering how easily they can get the file name and line number...
|
by: Lukas Ruf |
last post by:
Dear all,
for debugging purposes, I like the pre-compiler macros
__FILE__, __FUNCTION__, __LINE__
I have been wondering if there is a short form of __FILE__ that
provides only the filename...
|
by: Jim Carlock |
last post by:
Are the XSS / Cross Site Scripting attacks fixed in Version 4.44?
I'm seeing that $_SERVER doesn't return the
$_SERVER appended to it.
I was just messing with a few things and noticed that...
|
by: 7stud |
last post by:
Hi,
I'm having trouble understanding what the definition of __file__ is.
With this program:
------
#data.py:
def show():
print __file__
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |
