|
|
Posted by John Dunlop on 11/19/87 11:47
Tim Van Wassenhove:
> Here is an example of possible abuse of forms that use
> $_SERVER['PHP_SELF']: http://blog.phpdoc.info/archives/13-XSS-Woes.html
Ta for the link, Tim. So PHP_SELF is essentially user input.
Still don't know exactly what it is. I think it's something between
the (surface) URL and the filename, after the URL has undergone any
rewriting, because it can have both parts that are present in the URL
but absent in the filename and parts that are present in the filename
but absent in the URL. My half-assed testing doesn't lead me to an
answer.
It's easier to say what it isn't: it isn't the last seg. of the
(surface) URL-path, nor is it the filename.
--
Jock
Navigation:
[Reply to this message]
|