Blocking PHP_SELF action

Forum Moderators: coopster

Message Too Old, No Replies

Blocking PHP_SELF action

if page reloaded and form not submitted

henry0

1:27 pm on Dec 15, 2005 (gmt 0)

I found that on a page where I have a PHP_SELF form
if that page is accessed in order to perform other tasks but form submission
Then regardless of any submit action
The form will submit and result in deleting content or I should say in updating content with “empty” therefore deleting existing content on DB

Even that I test for exist and empty.

I temporarily killed SELF and point to an update script but it is not as “elegant”, any other options?

jatar_k

4:01 pm on Dec 15, 2005 (gmt 0)

I would disagree

PHP_SELF is not elegant, a specified, fully qualified url in the action is much nicer.

what type of elegance were you looking for.

funny, coopster and I were discussing PHP_SELF and security not long ago.

henry0

4:24 pm on Dec 15, 2005 (gmt 0)

Well, by elegance I meant compacting script in one page instead of two.

As per your advise I will then modif the whole thing

BTW, your discussion with Coopster was about a thread that I missed?

or would you share that input with us
It will make a great topic
Thanks

jatar_k

4:30 pm on Dec 15, 2005 (gmt 0)

not a thread, just a conversation we were having.

It was mentioned in the security thread as well as the presentation from the security conference I went to. PHP_SELF is not to be trusted and not used.

I have never used it and I always split my processing scripts from my presentation. This doesn't mean I split all of my html and my php code, as that is a pet peeve of mine when people do that, I just prefer all my processing in the background.

henry0

4:46 pm on Dec 15, 2005 (gmt 0)

For example I now see a hack openning:
if some one may figure what's in your dir
then in a case similar to mine it could have resulted in deleting existing content just by calling the script(By the way naming scripts with non related names would be a pain but could have advantages).
Although all my updates scripts are governed by
a tough (I hope)authentication.

coopster

1:58 pm on Dec 16, 2005 (gmt 0)

Some security docs you read will tell you that using PHP_SELF in a form action attribute is not good. But if you think about it, what is the difference if the user were to *spoof* the action by keying it in the browser address bar, or if they pulled the form down and modified it right there in the HTML? Either way, the ensuing action is whatever they just spoofed it to be. So really, where is the exposure?

I think the actual point is IF you are using PHP_SELF or REQUEST_URI, etc. you still need to scrub the data as it is user-supplied. Since they are $_SERVER variables a lot of folk just tend to think that the data is safe.

The conversation jatar_k and I then had was whether or not we should be using full URI's in the action attribute. And using the same form for HTML and processing is a whole new discussion ;-)