|
|
Posted by Jim Carlock on 11/21/06 22:14
Jim Carlock wrote...
: After messing with a few things I noticed 'PHP_SELF'
: returns the page name without the $_GET query strings...
:
: http://blog.phpdoc.info/archives/13-XSS-Woes.html
"petersprc" stated...
: When using PHP_SELF, I would suggest encoding it appropriately.
: For instance:
:
: <form action="<?= htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES) ?>">
:
: In a request to /home.php/a/b/c/d?p=q, your variables would usually
: be:
:
: REQUEST_URI: /home.php/a/b/c/d?p=q
: SCRIPT_NAME: /home.php
: PATH_INFO: /a/b/c/d
: QUERY_STRING: p=q
: PHP_SELF: /home.php/a/b/c/d
:
: An inbound link could put some unsafe code in the PATH_INFO
: part, so it's good to encode it when outputting it as HTML.
Good information. Thanks Peter. Maybe it was an Apache bug fixed
by Apache 1.3.37?
Another thing that occurs, PHP_ERR.LOG files show up when
the temporary directory gets deleted, in other words when the
temporary folder goes bye bye, "php_err.log" files start appearing
in the folders of the website which uses $_SESSION variables.
I'm working with PHP 4.4.4 and Apache 1.3.37 (Windows).
Comments are appreciated.
Thanks.
--
Jim Carlock
Navigation:
[Reply to this message]
|