Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder
    Join Date
    Dec 2006
    Posts
    417
    Thanks
    168
    Thanked 1 Time in 1 Post

    isnt $_SERVER['PHP_SELF']; an exploit?

    I want to use PHP_SELF for a link to the CSS validator for each page on my site:

    http://jigsaw.w3.org/css-validator/validator?uri=$_SERVER['PHP_SELF'];


    but it's exploitable.. so what do you people use instead?

  • #2
    Regular Coder
    Join Date
    Nov 2005
    Location
    North Canton, Ohio
    Posts
    118
    Thanks
    11
    Thanked 4 Times in 4 Posts
    You could just use $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]

  • Users who have thanked Blaher for this post:

    Bobafart (02-24-2008)

  • #3
    Master Coder
    Join Date
    Dec 2007
    Posts
    6,682
    Thanks
    436
    Thanked 890 Times in 879 Posts
    Quote Originally Posted by Blaher View Post
    You could just use $_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]
    there are not the same thing:

    'HTTP_HOST'
    Contents of the Host: header from the current request, if there is one.

    'REQUEST_URI'
    The URI which was given in order to access this page; for instance, '/index.html'.

    'PHP_SELF'
    The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar. The __FILE__ constant contains the full path and filename of the current (i.e. included) file. If PHP is running as a command-line processor this variable contains the script name since PHP 4.3.0. Previously it was not available.
    http://www.php.net/manual/en/reserve...riables.server

    Bobafart: can you give more detail? I don't understand what is the problem.

    best regards

  • Users who have thanked oesxyl for this post:

    Bobafart (02-25-2008)

  • #4
    Regular Coder
    Join Date
    Dec 2006
    Posts
    417
    Thanks
    168
    Thanked 1 Time in 1 Post
    all I wanted to know was if something like:


    http://jigsaw.w3.org/css-validator/validator?uri=$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]


    was secure or not...or a potential hack

  • #5
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,108
    Thanks
    11
    Thanked 101 Times in 99 Posts
    you could also simply escape...

    PHP Code:
    http://jigsaw.w3.org/css-validator/validator?uri=<?=htmlentities($_SERVER['PHP_SELF']);?>
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • Users who have thanked firepages for this post:

    Bobafart (02-25-2008)

  • #6
    Master Coder
    Join Date
    Dec 2007
    Posts
    6,682
    Thanks
    436
    Thanked 890 Times in 879 Posts
    Quote Originally Posted by Bobafart View Post
    all I wanted to know was if something like:

    http://jigsaw.w3.org/css-validator/validator?uri=$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]

    was secure or not...or a potential hack
    is secure for you,
    could be unsecure for jigsaw, but they protect themself by checking the value for uri.
    use firepages solution to escape special chars in url.

    best regards

  • Users who have thanked oesxyl for this post:

    Bobafart (02-26-2008)

  • #7
    New Coder
    Join Date
    Dec 2006
    Location
    GB
    Posts
    79
    Thanks
    3
    Thanked 1 Time in 1 Post
    ...or you could just use this.
    Code:
    http://jigsaw.w3.org/css-validator/check/referer

  • Users who have thanked Jacka for this post:

    Bobafart (02-26-2008)

  • #8
    New Coder
    Join Date
    Oct 2007
    Posts
    46
    Thanks
    7
    Thanked 0 Times in 0 Posts
    this isn't relevant but i thought i'd post it anyways.. i routinely check my pages on validator.w3.org but i typed it in wrong and it started downloading the package for the html checker! i typed it in like this:

    validator.w3.org/validator?uri=http://site.com
    -instead of-
    validator.w3.org/check?uri=http://site.com...

    you can still download the script at validator.w3.org/validator



  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •