...

View Full Version : isnt $_SERVER['PHP_SELF']; an exploit?



Bobafart
02-24-2008, 06:17 PM
I want to use PHP_SELF for a link to the CSS validator for each page on my site:

http://jigsaw.w3.org/css-validator/validator?uri=$_SERVER['PHP_SELF'];


but it's exploitable.. so what do you people use instead?

Blaher
02-24-2008, 06:33 PM
You could just use $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]

oesxyl
02-25-2008, 12:43 AM
You could just use $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]

there are not the same thing:



'HTTP_HOST'
Contents of the Host: header from the current request, if there is one.

'REQUEST_URI'
The URI which was given in order to access this page; for instance, '/index.html'.

'PHP_SELF'
The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar. The __FILE__ constant contains the full path and filename of the current (i.e. included) file. If PHP is running as a command-line processor this variable contains the script name since PHP 4.3.0. Previously it was not available.


http://www.php.net/manual/en/reserved.variables.php#reserved.variables.server

Bobafart: can you give more detail? I don't understand what is the problem.

best regards

Bobafart
02-25-2008, 12:49 AM
all I wanted to know was if something like:


http://jigsaw.w3.org/css-validator/validator?uri=$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]


was secure or not...or a potential hack

firepages
02-25-2008, 01:26 AM
you could also simply escape...



http://jigsaw.w3.org/css-validator/validator?uri=<?=htmlentities($_SERVER['PHP_SELF']);?>

oesxyl
02-25-2008, 02:20 AM
all I wanted to know was if something like:

http://jigsaw.w3.org/css-validator/validator?uri=$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]

was secure or not...or a potential hack
is secure for you, :)
could be unsecure for jigsaw, but they protect themself by checking the value for uri.
use firepages solution to escape special chars in url.

best regards

Jacka
02-25-2008, 04:14 PM
...or you could just use this.

http://jigsaw.w3.org/css-validator/check/referer

tylerh
02-26-2008, 03:31 AM
this isn't relevant but i thought i'd post it anyways.. i routinely check my pages on validator.w3.org but i typed it in wrong and it started downloading the package for the html checker! i typed it in like this:

validator.w3.org/validator?uri=http://site.com
-instead of-
validator.w3.org/check?uri=http://site.com...

you can still download the script at validator.w3.org/validator

:)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum