Geek Answers Handbook

The risk of using $ _SERVER ['REQUEST_URI'] or $ _SERVER ['PHP_SELF'] in forms and links

Is there a risk of using $_SERVER['REQUEST_URI'] or $_SERVER['PHP_SELF'] as an action on the form or as an href in the link?

If so, what can be done to ease the risk?

+2
php
source share
5 answers

You make the form at www.example.com/form.php. After a year, you forget that the URL simply captures any URL to which the page loads.

At some point, let's say that you have added the global โ€œdelete allโ€ option in your structure as part of a completely different (slightly odd) request.

Now someone sends you this link: www.example.com/form.php?delete_everything=true. Since you just grab this url and set it as an action, this is now an action in your form. Unfortunately. Thus, XSS attacks work basically this way.

Always assume that your code will be used (even by you, and especially hackers) in ways that you do not expect when you first write it.

How do you get around this? Hardcode URL! You can enable a function that returns a URL. Essentially, solutions like Symfony or CodeIgniter decide this.

+1
source share

$ _ SERVER is vulnerable to XSS attacks and must be cleared using htmlspecialchars () before use.

Injection Example:

  <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"></form>

Now call the form with the following injection:

http://www.example.com/form.php/%22%3E%3Cscript%3Ealert ('xss attack)% 3C / script% 3E% 3Cbr% 20class =% 22relevant

Always remember to clear the input ... ALWAYS!

+3
source share

This is because $_SERVER['PHP_SELF'] and $_SERVER['REQUEST_URI'] can be manipulated in such a way that , if you do not avoid it correctly , it can be used in XSS attacks.

A lot has become possible due to the fact that such a URL will work fine:

 /path/to/index.php/" onmouseover="alert('hi')

Use this code:

 <form action="<?php echo $_SERVER['PHP_SELF']; ?>"> ... </form>

It calls /path/to/index.php , i.e. SCRIPT_NAME , but when you just echo $_SERVER['PHP_SELF'] , it will break your intended HTML.

 <form action="/path/to/index.php/" onmouseover="alert('hi')"> ... </form>

Solutions

In many cases, using <form action=""> enough to make the form message in a script. Otherwise, if you know that the script is called "bla.php" , set action="bla.php" .

+2
source share

Remember to convert each occurrence of "$ _SERVER ['PHP_SELF']" to "htmlentities ($ _ SERVER ['PHP_SELF']) throughout the script.

How to avoid PHP_SELF exploits http://www.html-form-guide.com/php-form/php-form-action-self.html

0
source share

No, since anyone can change the href links anyway (using a tool like Firebug). Of course, make sure that you do not put any sensitive data in this link.

Always verify the validation and analysis of the user data that you receive .

-one
source share

More articles:


All Articles