I have been working on some PHP scripts that use PHP_SELF to identify the script itself. That is going to change since it is a security issue.
Why Validate PHP_SELF?
It’s a server side value, so how could it be a security issue? It can be altered by the user for XSS (Cross Side Scripting).
Here is an example of how PHP_SELF is typically used:
PHP Code:
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <!-- My Form --> </form>
An experienced hacker could do the following:
http://www.mydomain.com/form.php/%22%3E%3Cscript%3Ealert(’XSS attack’)%3C/script%3E%3Cbr
Now the script looks like this:
PHP Code:
<form method="post" action="http://www.mydomain.com/form.php/"> <script>alert('XSS attack')</script><br> <!-- My Form --> </form>
This example is harmless, but it is a pedagogical idea of how easy it is to hack..
Remedy
You can validate PHP_SELF or hard-code the script name.
Here is how to validate PHP_SELF:
PHP Code:
// Get the name of the file (form.php) $phpself = basename(__FILE__); //Get everything from start of PHP_SELF to where $phpself begins //Cut that part out, and place $phpself after it $_SERVER['PHP_SELF'] = substr($_SERVER['PHP_SELF'], 0, strpos($_SERVER['PHP_SELF'], $phpself)) . $phpself; // PHP_SELF is now safe to use