FUDforum: comp.lang.php » Good code or bad code?

Home » Imported messages » comp.lang.php » Good code or bad code?

Show: Today's Messages :: Polls :: Message Navigator

Re: Good code or bad code? [message #170198 is a reply to message #170196]

Sun, 17 October 2010 18:39

Thomas 'PointedEars'
Messages: 701
Registered: October 2010

Karma:

Senior Member

Magno wrote:

> Thomas 'PointedEars' Lahn wrote:
>> Bullshit/FUD. $_SERVER['REQUEST_URI'] yields the HTTP request URI, e.g.
>>
>> http://foo.example/bar?baz
>>
>> for an HTTP request containing the headers
>>
>> GET /bar?baz HTTP/1.1
>> Host: foo.example
>
> No. It shows the URI relative to the domain root. not including the
> domain name.

ACK, my bad. Yet that is even more proof that it is nonsense to claim that
browsers do not need to send it, and that it could be forged. A HTTP
request *requires* a request URI-reference. And for the PHP script to be
triggered, that URI-reference must, in the end, be correct.

>> [...]
>>
>> Use $_SERVER['SCRIPT_NAME'], since $_SERVER['PHP_SELF'] can be misused
>> for code injection:
>>
>> <http://en.wikipedia.org/wiki/Cross-site_scripting>
>
> That is not true.
> If you think it is true, give us an example of abusing it for code
> injection.

The correct course of action would be for you to present an argument why my
statement is not true.

Anyhow, for an oft-cited (and thus easily found) example (here: courtesy of
<http://blog.oncode.info/>, slightly adapted), take this problematic, but
often found, `form' element:

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
…
</form>

and this URI to trigger the PHP script containing it:

http://foo.example/bar/myform.php/%22%3E%3C%2Fform%3EHier%20ein%20Javascrip t%3A%20%3Cscript%20type%3D%22text%2Fjavascript%22%3Ewindow.alert('Gotcha!')%3B%3C%2Fscript%3E%3Cform%20action%3D%22%2Fcontact%2Fmyform.php

(Yes, wrapping $_SERVER['PHP_SELF'] in htmlentities() or htmlspecialchars()
would help here, but $_SERVER['SCRIPT_NAME'] usually does not require to be
wrapped in either one. Hence my recommendation.)

>> RTFM and call phpinfo() for details on $_SERVER.
>
> What the OP should read is.-
>
> http://php.net/manual/en/reserved.variables.server.php

That *is* the FM.

> and do a print_r($_SERVER);

That is what phpinfo() shows, among many other values.

PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee

Report message to a moderator

[Message index]

		Good code or bad code? By: MikeB on Sun, 17 October 2010 04:20
		Re: Good code or bad code? By: Hamish Campbell on Sun, 17 October 2010 06:33
		Re: Good code or bad code? By: MikeB on Sun, 17 October 2010 13:25
		Re: Good code or bad code? By: Jerry Stuckle on Sun, 17 October 2010 12:47
		Re: Good code or bad code? By: MikeB on Sun, 17 October 2010 13:12
		Re: Good code or bad code? By: Jerry Stuckle on Sun, 17 October 2010 13:37
		Re: Good code or bad code? By: Thomas 'PointedEars' on Sun, 17 October 2010 17:09
		Re: Good code or bad code? By: Magno on Sun, 17 October 2010 18:18
		Re: Good code or bad code? By: Thomas 'PointedEars' on Sun, 17 October 2010 18:39
		Re: Good code or bad code? By: Magno on Sun, 17 October 2010 22:16
		Re: Good code or bad code? By: Thomas 'PointedEars' on Sun, 17 October 2010 23:58
		Re: Good code or bad code? By: Hamish Campbell on Mon, 18 October 2010 06:09
		Re: Good code or bad code? By: Jerry Stuckle on Mon, 18 October 2010 00:06

Previous Topic:	buffering to allow headers in code?
Next Topic:	Stats comp.lang.php (last 7 days)

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Wed Nov 27 00:32:28 GMT 2024

Total time taken to generate the page: 0.04722 seconds