Posted by Tim Hunt on 08/11/06 16:30

amygdala wrote:
> "amygdala" <noreply@noreply.com> schreef in bericht
> news:44dca2d3$0$2014$9a622dc7@news.kpnplanet.nl...
> > Hi,
> >
> > I read something about PHP_SELF possibly issuing security flaws, since
> > requesting...
> >
> > http://www.mydomain.com/thescript.php/bogus
> >
> > ...would output '/thescript.php/bogus' if PHP_SELF is issued in
> > thescript.php
> >
> > Can't seem to find the article anymore though.
> >
> > What would be a good workaround for this?
> >
> > __FILE__ isn't an option here cause I would like to issue PHP_SELF / your
> > suggestion in a class that is included in thescript.php
> >
> > Is there no native PHP variable that returns the pure filename (no path,
> > no querystring, no trailing user input, etc.) ?
> >
> > Thanks a bunch.
> >
>
> I think I found it already:
>
> $_SERVER[ 'SCRIPT_NAME' ]
>
> Seems to work.
>
> Still, if somebody cares to elaborate on the subject: I'm curious what kind
> of security issues could show up when using these kinds of variables. Is
> $_SERVER[ 'SCRIPT_NAME' ] secure? Much appreciated.

Yeah I read about the PHP_SELF problem recently too , the links below
cover the topic better than I can.

http://blog.phpdoc.info/archives/13-guid.html
http://www-03.ibm.com/developerworks/blogs/page/phpblog?entry=thou_shalt_never_trust_user

The second page mentions that all variables in $_SERVER which begins
with HTTP (HTTP_REFERER, HTTP_HOST etc) can be easily spoofed.

Regards,
Tim

[Back to original message]