FUDforum: comp.lang.php » Good code or bad code?

Home » Imported messages » comp.lang.php » Good code or bad code?

Show: Today's Messages :: Polls :: Message Navigator

Re: Good code or bad code? [message #170201 is a reply to message #170200]

Sun, 17 October 2010 23:58

Thomas 'PointedEars'
Messages: 701
Registered: October 2010

Karma:

Senior Member

Magno wrote:

> On 10/17/2010 03:39 PM, Thomas 'PointedEars' Lahn wrote:
>> Anyhow, for an oft-cited (and thus easily found) example (here: courtesy
>> of <http://blog.oncode.info/>, slightly adapted), take this problematic,
>> but often found, `form' element:
>>
>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
>> …
>> </form>
>>
>> and this URI to trigger the PHP script containing it:
>>
>>
http://foo.example/bar/myform.php/%22%3E%3C%2Fform%3EHier%20ein%20Javascrip t%3A%20%3Cscript%20type%3D%22text%2Fjavascript%22%3Ewindow.alert('Gotcha!')%3B%3C%2Fscript%3E%3Cform%20action%3D%22%2Fcontact%2Fmyform.php
>>
>> (Yes, wrapping $_SERVER['PHP_SELF'] in htmlentities() or
>> htmlspecialchars() would help here, but $_SERVER['SCRIPT_NAME'] usually
>> does not require to be
>> wrapped in either one. Hence my recommendation.)
>
> I use to assume everyone being wise enough to not do such an idiotic
> mistakes like not filtering what you are going to print on HTML.

(Fallacies: Raising the bar / No true Scotsman)

You would be surprised how often this pattern has occurred in the past and
is occurring now, because people simply do not know this about $PHP_SELF or
$_SERVER['PHP_SELF']. STFW.

> You must ALWAYS use htmlspecialchars, when the user interaction can
> alter anything you will print in the output.

Not when, iff. In the case of $_SERVER['SCRIPT_NAME'], user interaction
cannot alter anything. That is my point that you are still missing.

PointedEars
--
Danny Goodman's books are out of date and teach practices that are
positively harmful for cross-browser scripting.
-- Richard Cornford, cljs, <cife6q$253$1$8300dec7(at)news(dot)demon(dot)co(dot)uk> (2004)

Report message to a moderator

[Message index]

		Good code or bad code? By: MikeB on Sun, 17 October 2010 04:20
		Re: Good code or bad code? By: Hamish Campbell on Sun, 17 October 2010 06:33
		Re: Good code or bad code? By: MikeB on Sun, 17 October 2010 13:25
		Re: Good code or bad code? By: Jerry Stuckle on Sun, 17 October 2010 12:47
		Re: Good code or bad code? By: MikeB on Sun, 17 October 2010 13:12
		Re: Good code or bad code? By: Jerry Stuckle on Sun, 17 October 2010 13:37
		Re: Good code or bad code? By: Thomas 'PointedEars' on Sun, 17 October 2010 17:09
		Re: Good code or bad code? By: Magno on Sun, 17 October 2010 18:18
		Re: Good code or bad code? By: Thomas 'PointedEars' on Sun, 17 October 2010 18:39
		Re: Good code or bad code? By: Magno on Sun, 17 October 2010 22:16
		Re: Good code or bad code? By: Thomas 'PointedEars' on Sun, 17 October 2010 23:58
		Re: Good code or bad code? By: Hamish Campbell on Mon, 18 October 2010 06:09
		Re: Good code or bad code? By: Jerry Stuckle on Mon, 18 October 2010 00:06

Previous Topic:	buffering to allow headers in code?
Next Topic:	Stats comp.lang.php (last 7 days)

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Tue Nov 26 22:15:54 GMT 2024

Total time taken to generate the page: 0.05187 seconds