Comments on: $_SERVER['PHP_SELF'] can not be trusted, but there are safe alternatives http://www.mc2design.com/blog/php_self-safe-alternatives Web development and marketing from the squares at MC² Design Group Mon, 28 Sep 2009 19:44:08 +0000 http://wordpress.org/?v=2.9 hourly 1 By: halı yıkama http://www.mc2design.com/blog/php_self-safe-alternatives/comment-page-1#comment-69081 halı yıkama Wed, 29 Jul 2009 12:46:46 +0000 http://www.mc2design.com/blog/php_self-you-little-rascal#comment-69081 $_SERVER['PHP_SELF'] can not be trusted, but there are safe alternatives - The Q great article thank you. $_SERVER['PHP_SELF'] can not be trusted, but there are safe alternatives – The Q great article thank you.

]]> By: Jarrett M. Barnett http://www.mc2design.com/blog/php_self-safe-alternatives/comment-page-1#comment-68596 Jarrett M. Barnett Tue, 07 Jul 2009 19:59:37 +0000 http://www.mc2design.com/blog/php_self-you-little-rascal#comment-68596 This post is actually fairly old. From my understanding leaving the action blank (action="") is both not proper and still open to XSS attacks. If your using PHP5 (and maybe later versions of PHP4), you should look into htmlspecialchars() - <a href="http://us2.php.net/manual/en/function.htmlspecialchars.php" rel="nofollow">http://us2.php.net/manual/en/function.htmlspecialchars.php</a> I personally purify everything. This post is actually fairly old. From my understanding leaving the action blank (action=”") is both not proper and still open to XSS attacks.

If your using PHP5 (and maybe later versions of PHP4), you should look into htmlspecialchars() – http://us2.php.net/manual/en/function.htmlspecialchars.php

I personally purify everything.

]]> By: kapil http://www.mc2design.com/blog/php_self-safe-alternatives/comment-page-1#comment-67809 kapil Tue, 16 Jun 2009 10:19:33 +0000 http://www.mc2design.com/blog/php_self-you-little-rascal#comment-67809 I used action="" and it solved what I needed. Is this ok to do or does this also has any security issue? I used action="" and it solved what I needed. Is this ok to do or does this also has any security issue?

]]> By: Frank http://www.mc2design.com/blog/php_self-safe-alternatives/comment-page-1#comment-67167 Frank Fri, 29 May 2009 22:21:18 +0000 http://www.mc2design.com/blog/php_self-you-little-rascal#comment-67167 Stumbled onto this from reddit, thanks that is an awesome heads up on a fairly common practice! Stumbled onto this from reddit, thanks that is an awesome heads up on a fairly common practice!

]]> By: Daniel Hahler http://www.mc2design.com/blog/php_self-safe-alternatives/comment-page-1#comment-67152 Daniel Hahler Fri, 29 May 2009 15:39:06 +0000 http://www.mc2design.com/blog/php_self-you-little-rascal#comment-67152 Good post. You can just use "" (empty string) for the form action though (instead of "#"). Or just use htmlspecialchars() to output PHP_SELF (but leaving it away makes more sense anyway). Good post. You can just use "" (empty string) for the form action though (instead of "#").
Or just use htmlspecialchars() to output PHP_SELF (but leaving it away makes more sense anyway).

]]> By: Radman http://www.mc2design.com/blog/php_self-safe-alternatives/comment-page-1#comment-62481 Radman Sun, 01 Mar 2009 22:07:23 +0000 http://www.mc2design.com/blog/php_self-you-little-rascal#comment-62481 Every time i come here I am not dissapointed, nice post Every time i come here I am not dissapointed, nice post

]]> By: Kristof http://www.mc2design.com/blog/php_self-safe-alternatives/comment-page-1#comment-62311 Kristof Tue, 24 Feb 2009 19:41:47 +0000 http://www.mc2design.com/blog/php_self-you-little-rascal#comment-62311 Turn MultiViews off and your problem is solved. Turn MultiViews off and your problem is solved.

]]> By: Matthew Byrne: the blog » Form breaks Wordpress http://www.mc2design.com/blog/php_self-safe-alternatives/comment-page-1#comment-59282 Matthew Byrne: the blog » Form breaks Wordpress Mon, 26 Jan 2009 19:26:26 +0000 http://www.mc2design.com/blog/php_self-you-little-rascal#comment-59282 [...] scrabbling around looking for answers I did come across a good article about security vulnerability when using the PHP_Self command, it’s well worth a read. Tags: form, php, security, Wordpress [...] [...] scrabbling around looking for answers I did come across a good article about security vulnerability when using the PHP_Self command, it’s well worth a read. Tags: form, php, security, Wordpress [...]

]]> By: Tormn http://www.mc2design.com/blog/php_self-safe-alternatives/comment-page-1#comment-37897 Tormn Tue, 22 Jul 2008 12:53:31 +0000 http://www.mc2design.com/blog/php_self-you-little-rascal#comment-37897 As a hacker, I also would like to tell you how important XSS attacks are. If XSS is available on a website, you will most likely get access to other peoples accounts. There are ways you can stop this from happening, but most people do not stop XSS. As a hacker, I also would like to tell you how important XSS attacks are. If XSS is available on a website, you will most likely get access to other peoples accounts. There are ways you can stop this from happening, but most people do not stop XSS.

]]>