|
|
Posted by Robert on 12/17/94 11:55
The correct way to get the php file is:
$_SERVER['PHP_SELF'] -- No security vulns. as per my knowledge.
Hope this helps, -Rob
amygdala wrote:
> "amygdala" <noreply@noreply.com> schreef in bericht
> news:44dca2d3$0$2014$9a622dc7@news.kpnplanet.nl...
> > Hi,
> >
> > I read something about PHP_SELF possibly issuing security flaws, since
> > requesting...
> >
> > http://www.mydomain.com/thescript.php/bogus
> >
> > ...would output '/thescript.php/bogus' if PHP_SELF is issued in
> > thescript.php
> >
> > Can't seem to find the article anymore though.
> >
> > What would be a good workaround for this?
> >
> > __FILE__ isn't an option here cause I would like to issue PHP_SELF / your
> > suggestion in a class that is included in thescript.php
> >
> > Is there no native PHP variable that returns the pure filename (no path,
> > no querystring, no trailing user input, etc.) ?
> >
> > Thanks a bunch.
> >
>
> I think I found it already:
>
> $_SERVER[ 'SCRIPT_NAME' ]
>
> Seems to work.
>
> Still, if somebody cares to elaborate on the subject: I'm curious what kind
> of security issues could show up when using these kinds of variables. Is
> $_SERVER[ 'SCRIPT_NAME' ] secure? Much appreciated.
Navigation:
[Reply to this message]
|