Why you should not use $_SERVER[‘REQUEST_URI’] and $_SERVER[‘PHP_SELF’]
Well, this might be a sad news for those who normally use 🙁 I once was a fan to it and use it quite well in form actions but realized that form actions can be null if its the same page. So i choose the easier one 😀
$_SERVER[‘REQUEST_URI’] and $_SERVER[‘PHP_SELF’] are from headers not from server, lately I thought it was from the server but read some docs about it and found out its not from server and its vulnerable to XSS attacks.
How is $_SERVER[‘REQUEST_URI’] and $_SERVER[‘PHP_SELF’] XSS Vulnerable?
Quite well, you might think how can someone inject XSS script into the address bar and it affects those global variables right? 🙂 Now watch this:
|
1 2 3 |
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> <input type="text" name="test" /> </form> |
Add this to your address bar, assuming the file is form.php:
|
1 |
form.php/"<script>alert('hello');</script> |
Now you’ve come to notice that this alters the form action to the user’s choice which means your project is XSS vulnerable 🙂 I now suggest you use $_SERVER[‘SCRIPT_NAME’] which is from server. 🙂
James John
Software Engineer
