Welcome to WebmasterWorld Guest from 34.229.126.29

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

$ SERVER['PHP SELF'] unsafe?

     
9:05 am on Feb 1, 2015 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 14, 2004
posts:111
votes: 0


I use below function to get the filename:

$menu=basename($_SERVER['PHP_SELF'], '.php');

For example with www.domain.com/example.php it returns value “example”.

However if some enters www.domain.com/example.php/somethingelse/ then it returns value “somethingselse” and not “example”. So $menu can get any value. Can this be used to hack a site?
11:37 am on Feb 1, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3127
votes: 1


Can this be used to hack a site?


It depends what you are doing with it and to some extent the server config. It's basically user input, so the same validation applies.

If you are just using $menu to highlight a menu item then it might just be a visual disturbance. (But one which could be shared publicly.)
8:12 am on Feb 4, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Oct 15, 2004
posts:942
votes: 0


simple echoing $_SERVER['PHP_SELF'], is vulnerable to XSS attacks. You can find many references for this if you google it.
Best approach is to echo htmlspecialchars($_SERVER['PHP_SELF']);, just to be on the safe side.
7:25 pm on Feb 4, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15636
votes: 795


However if some enters www.domain.com/example.php/somethingelse/ then it returns value “somethingselse” and not “example”. So $menu can get any value. Can this be used to hack a site?

Did you mean, if someone enters this spurious URL in their address bar, taking advantage of path-info defaults?

It may be safer to address this from the other side: don't let the site accept URLs with more stuff (other than a query string, duh) after the filename extension. Either block or redirect, depending on circumstances and preference.
2:36 pm on Mar 19, 2015 (gmt 0)

New User

joined:Mar 19, 2015
posts: 4
votes: 0


ya correct some time its make a way to hack just you entered the file name for example test.php
5:51 am on Apr 29, 2015 (gmt 0)

New User

joined:Apr 23, 2015
posts:10
votes: 0


You need to make note of all these:

$_SERVER["SCRIPT_NAME"]
$_SERVER["PATH_INFO"]
$_SERVER["PATH_TRANSLATED"]
$_SERVER["PHP_SELF"]

in your code. Use various URLs in a test script with var_dump($_SERVER);.

P.S. I have never seen/heard of any "hacking" of a site by adding "/text" on a URL.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members