Mailinglist Archive: opensuse (3566 mails)
| < Previous | Next > |
Re: [opensuse] PHP Question
- From: Randall R Schulz <rschulz@xxxxxxxxx>
- Date: Fri, 27 Apr 2007 15:30:18 -0700
- Message-id: <200704271530.19031.rschulz@xxxxxxxxx>
On Friday 27 April 2007 15:16, Cristian Rodriguez R. wrote:
> Randall R Schulz escribió:
> > On Friday 27 April 2007 14:26, Cristian Rodriguez R. wrote:
> >>> <form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
> >>
> >> Sure,and then you get a free security hole.
> >>
> >> it should say.
> >>
> >> <form method="post" action="<?php echo $_SERVER['SCRIPT_NAME'];
> >> ?>">
> >>
> >> or in case you **really** want to use PHP_SELF
> >>
> >> <form method="post" action="<?php echo
> >> htmlspecialchars($_SERVER['PHP_SELF']); ?>">
> >
> > If that's true, then anyone could just grab the HTML, change the
> > SCRIPT_NAME back to PHP_SELF,
>
> huh ? PHP is interpreted on the server .. they will not be able to
> change what code is executed in the server.
I know PHP runs on the server.
But you're talking about <form> elements in the HTML that resides in
clients browsers. You can serve anything you like, but you cannot keep
people from altering it and then loading the altered HTML into their
browser and submitting the form-generated requests from the altered
HTML to your server. In essence you're accepting fragments of PHP code
from the client, which is often a security risk. It's similar to taking
user-supplied text, interleaving it with fragments of SQL statement
text and submitting the result as commands to your database.
> ...
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
> Randall R Schulz escribió:
> > On Friday 27 April 2007 14:26, Cristian Rodriguez R. wrote:
> >>> <form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>">
> >>
> >> Sure,and then you get a free security hole.
> >>
> >> it should say.
> >>
> >> <form method="post" action="<?php echo $_SERVER['SCRIPT_NAME'];
> >> ?>">
> >>
> >> or in case you **really** want to use PHP_SELF
> >>
> >> <form method="post" action="<?php echo
> >> htmlspecialchars($_SERVER['PHP_SELF']); ?>">
> >
> > If that's true, then anyone could just grab the HTML, change the
> > SCRIPT_NAME back to PHP_SELF,
>
> huh ? PHP is interpreted on the server .. they will not be able to
> change what code is executed in the server.
I know PHP runs on the server.
But you're talking about <form> elements in the HTML that resides in
clients browsers. You can serve anything you like, but you cannot keep
people from altering it and then loading the altered HTML into their
browser and submitting the form-generated requests from the altered
HTML to your server. In essence you're accepting fragments of PHP code
from the client, which is often a security risk. It's similar to taking
user-supplied text, interleaving it with fragments of SQL statement
text and submitting the result as commands to your database.
> ...
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |