Mailinglist Archive: opensuse (3566 mails)
| < Previous | Next > |
Re: [opensuse] PHP Question
- From: "Cristian Rodriguez R." <judas_iscariote@xxxxxxxxxxxxx>
- Date: Fri, 27 Apr 2007 18:16:48 -0400
- Message-id: <46327650.4030400@xxxxxxxxxxxxx>
Randall R Schulz escribió:
> On Friday 27 April 2007 14:26, Cristian Rodriguez R. wrote:
>> John D Lamb escribió:
>>> <form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
>> Sure,and then you get a free security hole.
>>
>> it should say.
>>
>> <form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>">
>>
>> or in case you **really** want to use PHP_SELF
>>
>> <form method="post" action="<?php echo
>> htmlspecialchars($_SERVER['PHP_SELF']); ?>">
>
>
> If that's true, then anyone could just grab the HTML, change the
> SCRIPT_NAME back to PHP_SELF,
huh ? PHP is interpreted on the server .. they will not be able to
change what code is executed in the server. however in this case there
is an XSS hole if you use PHP_SELF without sanitization.
see an practical example
http://blog.phpdoc.info/archives/13-XSS-Woes.html
> On Friday 27 April 2007 14:26, Cristian Rodriguez R. wrote:
>> John D Lamb escribió:
>>> <form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
>> Sure,and then you get a free security hole.
>>
>> it should say.
>>
>> <form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>">
>>
>> or in case you **really** want to use PHP_SELF
>>
>> <form method="post" action="<?php echo
>> htmlspecialchars($_SERVER['PHP_SELF']); ?>">
>
>
> If that's true, then anyone could just grab the HTML, change the
> SCRIPT_NAME back to PHP_SELF,
huh ? PHP is interpreted on the server .. they will not be able to
change what code is executed in the server. however in this case there
is an XSS hole if you use PHP_SELF without sanitization.
see an practical example
http://blog.phpdoc.info/archives/13-XSS-Woes.html
| < Previous | Next > |