|
|
Posted by amygdala on 12/12/10 11:55
"Tim Hunt" <tim.n.hunt@gmail.com> schreef in bericht
news:1155313816.165751.307410@b28g2000cwb.googlegroups.com...
>
> amygdala wrote:
>> "amygdala" <noreply@noreply.com> schreef in bericht
>> news:44dca2d3$0$2014$9a622dc7@news.kpnplanet.nl...
>> > Hi,
>> >
>> > I read something about PHP_SELF possibly issuing security flaws, since
>> > requesting...
>> >
>> > http://www.mydomain.com/thescript.php/bogus
>> >
>> > ...would output '/thescript.php/bogus' if PHP_SELF is issued in
>> > thescript.php
>> >
>> > Can't seem to find the article anymore though.
>> >
>> > What would be a good workaround for this?
>> >
>> > __FILE__ isn't an option here cause I would like to issue PHP_SELF /
>> > your
>> > suggestion in a class that is included in thescript.php
>> >
>> > Is there no native PHP variable that returns the pure filename (no
>> > path,
>> > no querystring, no trailing user input, etc.) ?
>> >
>> > Thanks a bunch.
>> >
>>
>> I think I found it already:
>>
>> $_SERVER[ 'SCRIPT_NAME' ]
>>
>> Seems to work.
>>
>> Still, if somebody cares to elaborate on the subject: I'm curious what
>> kind
>> of security issues could show up when using these kinds of variables. Is
>> $_SERVER[ 'SCRIPT_NAME' ] secure? Much appreciated.
>
> Yeah I read about the PHP_SELF problem recently too , the links below
> cover the topic better than I can.
>
> http://blog.phpdoc.info/archives/13-guid.html
> http://www-03.ibm.com/developerworks/blogs/page/phpblog?entry=thou_shalt_never_trust_user
>
> The second page mentions that all variables in $_SERVER which begins
> with HTTP (HTTP_REFERER, HTTP_HOST etc) can be easily spoofed.
>
> Regards,
> Tim
>
Thanks for those links. Good stuff.
Navigation:
[Reply to this message]
|