|
||||
isnt $_SERVER['PHP_SELF']; an exploit?Bobafart 02-24-2008, 05:17 PM I want to use PHP_SELF for a link to the CSS validator for each page on my site: http://jigsaw.w3.org/css-validator/validator?uri=$_SERVER['PHP_SELF']; but it's exploitable.. so what do you people use instead? Blaher 02-24-2008, 05:33 PM You could just use $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"] oesxyl 02-24-2008, 11:43 PM You could just use $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"] there are not the same thing: 'HTTP_HOST' Contents of the Host: header from the current request, if there is one. 'REQUEST_URI' The URI which was given in order to access this page; for instance, '/index.html'. 'PHP_SELF' The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar. The __FILE__ constant contains the full path and filename of the current (i.e. included) file. If PHP is running as a command-line processor this variable contains the script name since PHP 4.3.0. Previously it was not available. http://www.php.net/manual/en/reserved.variables.php#reserved.variables.server Bobafart: can you give more detail? I don't understand what is the problem. best regards Bobafart 02-24-2008, 11:49 PM all I wanted to know was if something like: http://jigsaw.w3.org/css-validator/validator?uri=$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"] was secure or not...or a potential hack firepages 02-25-2008, 12:26 AM you could also simply escape... http://jigsaw.w3.org/css-validator/validator?uri=<?=htmlentities($_SERVER['PHP_SELF']);?> oesxyl 02-25-2008, 01:20 AM all I wanted to know was if something like: http://jigsaw.w3.org/css-validator/validator?uri=$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"] was secure or not...or a potential hack is secure for you, :) could be unsecure for jigsaw, but they protect themself by checking the value for uri. use firepages solution to escape special chars in url. best regards Jacka 02-25-2008, 03:14 PM ...or you could just use this. http://jigsaw.w3.org/css-validator/check/referer tylerh 02-26-2008, 02:31 AM this isn't relevant but i thought i'd post it anyways.. i routinely check my pages on validator.w3.org but i typed it in wrong and it started downloading the package for the html checker! i typed it in like this: validator.w3.org/validator?uri=http://site.com -instead of- validator.w3.org/check?uri=http://site.com... you can still download the script at validator.w3.org/validator :) |
| |||
EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum
