Randall R Schulz escribió:
On Friday 27 April 2007 14:26, Cristian Rodriguez R. wrote:
John D Lamb escribió:
<form method="post" action="<?php echo $SEVER['PHP_SELF']; ?>"> Sure,and then you get a free security hole.
it should say.
<form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>">
or in case you **really** want to use PHP_SELF
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
If that's true, then anyone could just grab the HTML, change the SCRIPT_NAME back to PHP_SELF,
huh ? PHP is interpreted on the server .. they will not be able to change what code is executed in the server. however in this case there is an XSS hole if you use PHP_SELF without sanitization. see an practical example http://blog.phpdoc.info/archives/13-XSS-Woes.html