473,405 Members | 2,379 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > xss / cross site scripting attacks fixed $_server['php_self'] ?

Join Bytes to post your question to a community of 473,405 software developers and data experts.

XSS / Cross Site Scripting Attacks Fixed $_SERVER['PHP_SELF'] ?

Are the XSS / Cross Site Scripting attacks fixed in Version 4.44?

I'm seeing that $_SERVER['PHP_SELF'] doesn't return the
$_SERVER['HTTP_QUERYSTRING'] appended to it.

I was just messing with a few things and noticed that PHP_SELF
returns only the page name now and without the $_GET query...

http://blog.phpdoc.info/archives/13-XSS-Woes.html

Any comments on this are appreciated.

Thanks.

--
Jim Carlock
Post replies to the group.

Nov 21 '06 #1
4 5645
Hi,

When using PHP_SELF, I would suggest encoding it appropriately. For
instance:

<form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES)
?>">

In a request to /home.php/a/b/c/d?p=q, your variables would usually be:

REQUEST_URI: /home.php/a/b/c/d?p=q
SCRIPT_NAME: /home.php
PATH_INFO: /a/b/c/d
QUERY_STRING: p=q
PHP_SELF: /home.php/a/b/c/d

An inbound link could put some unsafe code in the PATH_INFO part, so
it's good to encode it when outputting it as HTML.
Jim Carlock wrote:
Are the XSS / Cross Site Scripting attacks fixed in Version 4.44?

I'm seeing that $_SERVER['PHP_SELF'] doesn't return the
$_SERVER['HTTP_QUERYSTRING'] appended to it.

I was just messing with a few things and noticed that PHP_SELF
returns only the page name now and without the $_GET query...

http://blog.phpdoc.info/archives/13-XSS-Woes.html

Any comments on this are appreciated.

Thanks.

--
Jim Carlock
Post replies to the group.
Nov 21 '06 #2
Jim Carlock wrote...
: After messing with a few things I noticed 'PHP_SELF'
: returns the page name without the $_GET query strings...
:
: http://blog.phpdoc.info/archives/13-XSS-Woes.html

"petersprc" stated...
: When using PHP_SELF, I would suggest encoding it appropriately.
: For instance:
:
: <form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES) ?>">
:
: In a request to /home.php/a/b/c/d?p=q, your variables would usually
: be:
:
: REQUEST_URI: /home.php/a/b/c/d?p=q
: SCRIPT_NAME: /home.php
: PATH_INFO: /a/b/c/d
: QUERY_STRING: p=q
: PHP_SELF: /home.php/a/b/c/d
:
: An inbound link could put some unsafe code in the PATH_INFO
: part, so it's good to encode it when outputting it as HTML.

Good information. Thanks Peter. Maybe it was an Apache bug fixed
by Apache 1.3.37?

Another thing that occurs, PHP_ERR.LOG files show up when
the temporary directory gets deleted, in other words when the
temporary folder goes bye bye, "php_err.log" files start appearing
in the folders of the website which uses $_SESSION variables.
I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).

Comments are appreciated.

Thanks.

--
Jim Carlock
Nov 21 '06 #3
You are right that PHP_SELF doesn't include any of the query part. But
still, outputting an unsanitized PHP_SELF would be a problem and could
lead to an XSS vulnerability, because the client can usually include
arbitrary text in the PATH_INFO part. If you use htmlentities, it
should pretty much address that potential problem.

Jim Carlock wrote:
Jim Carlock wrote...
: After messing with a few things I noticed 'PHP_SELF'
: returns the page name without the $_GET query strings...
:
: http://blog.phpdoc.info/archives/13-XSS-Woes.html

"petersprc" stated...
: When using PHP_SELF, I would suggest encoding it appropriately.
: For instance:
:
: <form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES) ?>">
:
: In a request to /home.php/a/b/c/d?p=q, your variables would usually
: be:
:
: REQUEST_URI: /home.php/a/b/c/d?p=q
: SCRIPT_NAME: /home.php
: PATH_INFO: /a/b/c/d
: QUERY_STRING: p=q
: PHP_SELF: /home.php/a/b/c/d
:
: An inbound link could put some unsafe code in the PATH_INFO
: part, so it's good to encode it when outputting it as HTML.

Good information. Thanks Peter. Maybe it was an Apache bug fixed
by Apache 1.3.37?

Another thing that occurs, PHP_ERR.LOG files show up when
the temporary directory gets deleted, in other words when the
temporary folder goes bye bye, "php_err.log" files start appearing
in the folders of the website which uses $_SESSION variables.
I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).

Comments are appreciated.

Thanks.

--
Jim Carlock
Nov 24 '06 #4
Description of PHP_SELF:
http://blog.phpdoc.info/archives/13-XSS-Woes.html

petersprc wrote:
You are right that PHP_SELF doesn't include any of the query part. But
still, outputting an unsanitized PHP_SELF would be a problem and could
lead to an XSS vulnerability, because the client can usually include
arbitrary text in the PATH_INFO part. If you use htmlentities, it
should pretty much address that potential problem.

Jim Carlock wrote:
Jim Carlock wrote...
: After messing with a few things I noticed 'PHP_SELF'
: returns the page name without the $_GET query strings...
:
: http://blog.phpdoc.info/archives/13-XSS-Woes.html

"petersprc" stated...
: When using PHP_SELF, I would suggest encoding it appropriately.
: For instance:
:
: <form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES) ?>">
:
: In a request to /home.php/a/b/c/d?p=q, your variables would usually
: be:
:
: REQUEST_URI: /home.php/a/b/c/d?p=q
: SCRIPT_NAME: /home.php
: PATH_INFO: /a/b/c/d
: QUERY_STRING: p=q
: PHP_SELF: /home.php/a/b/c/d
:
: An inbound link could put some unsafe code in the PATH_INFO
: part, so it's good to encode it when outputting it as HTML.

Good information. Thanks Peter. Maybe it was an Apache bug fixed
by Apache 1.3.37?

Another thing that occurs, PHP_ERR.LOG files show up when
the temporary directory gets deleted, in other words when the
temporary folder goes bye bye, "php_err.log" files start appearing
in the folders of the website which uses $_SESSION variables.
I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).

Comments are appreciated.

Thanks.

--
Jim Carlock
Nov 24 '06 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
$_SERVER[PHP_SELF] and <SELECT>
by: Salve Håkedal | last post by:
When I select Februar here and sends, selection returns to Januar. I know why: no option is marked selected... But can php get this right in an easy way? <html><head><title>Part of a bigger...
PHP
13
Why no [fragment] in parse_url($_SERVER['PHP_SELF'])?
by: deko | last post by:
I'm trying to identify which named anchor is currently being viewed on a page. Although the address bar of my browser shows #whatever appended to the end of the url, I can't seem to find it in a...
PHP
3
Difference between $_SERVER['SCRIPT_NAME'] and $_SERVER['PHP_SELF']
by: Joshua Beall | last post by:
Hi All, What is the difference between $_SERVER and $_SERVER, and which is better to use? According to the CGI 1.1 spec (http://hoohoo.ncsa.uiuc.edu/cgi/env.html), SCRIPT_NAME is not...
PHP
10
form action = <?=$_SERVER['PHP_SELF']?> - stopped working
by: tHatDudeUK | last post by:
My form action code to submit values to itself have stopped working using the code form action = <?=$_SERVER?> This code used to work My web host recently told me they enabled phpsuexec...
PHP
1
"page Not Found" after submitting form to $_SERVER['PHP_SELF'] through Post Action
by: Michael Brennan-White | last post by:
If I submit my for using a get action the resulting page loads . If I use a post action I get an error page saying "The page cannot be found". I am calling the originating page!!! This happens...
PHP
10
$_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)
by: Jim Carlock | last post by:
Looking for a way to extract the path from the pfqpn (partially full qualified path name). $sThisServer = $_SERVER; // returns either aquaticcreationsnc.com or www.aquaticcreationsnc.com ...
PHP
7
Help with $_POST and $_SERVER['PHP_SELF'] please.
by: Dynamo | last post by:
I am using values stored an $_POST array to display records from a table before asking the user if he is sure he wants to delete them. If the user confirms then the records are deleted. Without...
PHP
5
Problem Getting Script's URL ($_SERVER['PHP_SELF'] not what I expected)
by: Tom | last post by:
I have a function that restricts access to a page to logged in users. When a user who isn't logged in goes to the page, it will dynamically generate a login form. I'm trying to use it in...
PHP
4
$_SERVER[PHP_self]
by: vinnie | last post by:
can someone explain me with an easy example what the function for? I've read on the php.net, but didn;t really catch the point. I'm a newbie. Thanks
PHP
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!