Subcripcion
Páginas: 5 (1006 palabras)
Publicado: 23 de julio de 2012
Using PHP_SELF in the action field of a form
in PHP Form
In this article shows the usage of PHP_SELF variable and how to avoid PHP_SELF exploits.
What is PHP_SELF variable?
PHP_SELF is a variable that returns the current script being executed. This variable returns the name and path of the current file (from the root folder). You can use this variable in the action field of the FORM. Thereare also certain exploits that you need to be aware of. We shall discuss all these points in this article.
We will now see some examples.
echo $_SERVER['PHP_SELF'];
a) Suppose your php file is located at the address:
http://www.yourserver.com/form-action.php
In this case, PHP_SELF will contain:
"/form-action.php"
b) Suppose your php file is located at the address:http://www.yourserver.com/dir1/form-action.php
For this URL, PHP_SELF will be :
"/dir1/form-action.php"
Using the PHP_SELF variable in the action field of the form
A common use of PHP_SELF variable is in the action field of the <form> tag. The action field of the FORM instructs where to submit the form data when the user presses the "submit" button. It is common to have the same PHP page as the handler for theform as well.
However, if you provide the name of the file in the action field, in case you happened to rename the file, you need to update the action field as well; or your forms will stop working.
Using PHP_SELF variable you can write more generic code which can be used on any page and you do not need to edit the action field.
Consider, you have a file called form-action.php and want to loadthe same page after the form is submitted. The usual form code will be:
<form method="post" action="form-action.php" > |
We can use the PHP_SELF variable instead of "form-action.php". The code becomes:
<form name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" > |
The complete code of "form-action.php"
Here is the combined code, that contains both theform and the PHP script.
<?php |
if(isset($_POST['submit'])) |
{ |
$name = $_POST['name']; |
echo "User Has submitted the form and entered this name : <b> $name </b>"; |
echo "<br>You can use the following form again to enter a new name."; |
} |
?> |
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> | <input type="text" name="name"><br> |
<input type="submit" name="submit" value="Submit Form"><br> |
</form> |
This PHP code is above the HTML part and will be executed first. The first line of code is checking if the form is submitted or not. The name of the submit button is "submit". When the submit button is pressed the $_POST['submit'] will be set and the IFcondition will become true. In this case, we are showing the name entered by the user.
If the form is not submitted the IF condition will be FALSE as there will be no values in $_POST['submit'] and PHP code will not be executed. In this case, only the form will be shown.
What are PHP_SELF exploits and how to avoid them
The PHP_SELF variable is used to get the name and path of the current file butit can be used by the hackers too. If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute.
See below for an example:
<form name="test" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> |
Now, if a user has entered the normal URL in the address bar like
http://www.yourdomain.com/form-action.php
theabove code will be translated as:
<form name="test" action="form-action.php" method="post"> |
This is the normal case.
Now consider that the user has called this script by entering the following URL in the browser's address bar:
http://www.yourdomain.com/form-action.php/%22%3E%3Cscript%3Ealert('xss')%3C
/script%3E%3Cfoo%22
In this case, after PHP processing the code becomes:...
in PHP Form
In this article shows the usage of PHP_SELF variable and how to avoid PHP_SELF exploits.
What is PHP_SELF variable?
PHP_SELF is a variable that returns the current script being executed. This variable returns the name and path of the current file (from the root folder). You can use this variable in the action field of the FORM. Thereare also certain exploits that you need to be aware of. We shall discuss all these points in this article.
We will now see some examples.
echo $_SERVER['PHP_SELF'];
a) Suppose your php file is located at the address:
http://www.yourserver.com/form-action.php
In this case, PHP_SELF will contain:
"/form-action.php"
b) Suppose your php file is located at the address:http://www.yourserver.com/dir1/form-action.php
For this URL, PHP_SELF will be :
"/dir1/form-action.php"
Using the PHP_SELF variable in the action field of the form
A common use of PHP_SELF variable is in the action field of the <form> tag. The action field of the FORM instructs where to submit the form data when the user presses the "submit" button. It is common to have the same PHP page as the handler for theform as well.
However, if you provide the name of the file in the action field, in case you happened to rename the file, you need to update the action field as well; or your forms will stop working.
Using PHP_SELF variable you can write more generic code which can be used on any page and you do not need to edit the action field.
Consider, you have a file called form-action.php and want to loadthe same page after the form is submitted. The usual form code will be:
<form method="post" action="form-action.php" > |
We can use the PHP_SELF variable instead of "form-action.php". The code becomes:
<form name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" > |
The complete code of "form-action.php"
Here is the combined code, that contains both theform and the PHP script.
<?php |
if(isset($_POST['submit'])) |
{ |
$name = $_POST['name']; |
echo "User Has submitted the form and entered this name : <b> $name </b>"; |
echo "<br>You can use the following form again to enter a new name."; |
} |
?> |
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> | <input type="text" name="name"><br> |
<input type="submit" name="submit" value="Submit Form"><br> |
</form> |
This PHP code is above the HTML part and will be executed first. The first line of code is checking if the form is submitted or not. The name of the submit button is "submit". When the submit button is pressed the $_POST['submit'] will be set and the IFcondition will become true. In this case, we are showing the name entered by the user.
If the form is not submitted the IF condition will be FALSE as there will be no values in $_POST['submit'] and PHP code will not be executed. In this case, only the form will be shown.
What are PHP_SELF exploits and how to avoid them
The PHP_SELF variable is used to get the name and path of the current file butit can be used by the hackers too. If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute.
See below for an example:
<form name="test" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> |
Now, if a user has entered the normal URL in the address bar like
http://www.yourdomain.com/form-action.php
theabove code will be translated as:
<form name="test" action="form-action.php" method="post"> |
This is the normal case.
Now consider that the user has called this script by entering the following URL in the browser's address bar:
http://www.yourdomain.com/form-action.php/%22%3E%3Cscript%3Ealert('xss')%3C
/script%3E%3Cfoo%22
In this case, after PHP processing the code becomes:...
Leer documento completo
Regístrate para leer el documento completo.