FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Good code or bad code?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Good code or bad code? [message #170198 is a reply to message #170196] Sun, 17 October 2010 18:39 Go to previous messageGo to previous message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
Senior Member
Magno wrote:

> Thomas 'PointedEars' Lahn wrote:
>> Bullshit/FUD. $_SERVER['REQUEST_URI'] yields the HTTP request URI, e.g.
>>
>> http://foo.example/bar?baz
>>
>> for an HTTP request containing the headers
>>
>> GET /bar?baz HTTP/1.1
>> Host: foo.example
>
> No. It shows the URI relative to the domain root. not including the
> domain name.

ACK, my bad. Yet that is even more proof that it is nonsense to claim that
browsers do not need to send it, and that it could be forged. A HTTP
request *requires* a request URI-reference. And for the PHP script to be
triggered, that URI-reference must, in the end, be correct.

>> [...]
>>
>> Use $_SERVER['SCRIPT_NAME'], since $_SERVER['PHP_SELF'] can be misused
>> for code injection:
>>
>> <http://en.wikipedia.org/wiki/Cross-site_scripting>
>
> That is not true.
> If you think it is true, give us an example of abusing it for code
> injection.

The correct course of action would be for you to present an argument why my
statement is not true.

Anyhow, for an oft-cited (and thus easily found) example (here: courtesy of
<http://blog.oncode.info/>, slightly adapted), take this problematic, but
often found, `form' element:

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

</form>

and this URI to trigger the PHP script containing it:

http://foo.example/bar/myform.php/%22%3E%3C%2Fform%3EHier%20ein%20Javascrip t%3A%20%3Cscript%20type%3D%22text%2Fjavascript%22%3Ewindow.alert('Gotcha!')%3B%3C%2Fscript%3E%3Cform%20action%3D%22%2Fcontact%2Fmyform.php

(Yes, wrapping $_SERVER['PHP_SELF'] in htmlentities() or htmlspecialchars()
would help here, but $_SERVER['SCRIPT_NAME'] usually does not require to be
wrapped in either one. Hence my recommendation.)

>> RTFM and call phpinfo() for details on $_SERVER.
>
> What the OP should read is.-
>
> http://php.net/manual/en/reserved.variables.server.php

That *is* the FM.

> and do a print_r($_SERVER);

That is what phpinfo() shows, among many other values.


PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: buffering to allow headers in code?
Next Topic: Stats comp.lang.php (last 7 days)
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 30 06:14:05 GMT 2024

Total time taken to generate the page: 0.04626 seconds