Well, this might be a sad news for those who normally use :( I once was a fan to it and use it quite well in form actions but realized that form actions can be null if its the same page. So i choose the easier one :D
$_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] are from headers not from server, lately I thought it was from the server but read some docs about it and found out its not from server and its vulnerable to XSS attacks.
How is $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] XSS Vulnerable?
Quite well, you might think how can someone inject XSS script into the address bar and it affects those global variables right? :) Now watch this:
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<input type="text" name="test" />
</form>
Add this to your address bar, assuming the file is form.php:
form.php/"<script>alert('hello');</script>Now you've come to notice that this alters the form action to the user's choice which means your project is XSS vulnerable :) I now suggest you use $_SERVER['SCRIPT_NAME'] which is from server. :)
I use it sometimes. But like so echo htmlspecialchars($_SERVER['PHP_SELF'])
ReplyDeleteit makes it safe too but can alter your form action if you are using it as form action :)
ReplyDelete