Reply to Re: Need expert help with advanced form Submit question

Your name:

Reply:


Posted by Jonathan N. Little on 10/19/07 19:44

BootNic wrote:
> "Jonathan N. Little" <lws4art@centralva.net> wrote:
> news:46b3f$4718be9b$40cba7cb$16012@NAXS.COM:
>
>>> <form method="post" action="<? echo $_SERVER["PHP_SELF"]; ?>">
>>> (rest of form...)
>>> </form>
>> I feel compelled to warn you all that you should *not* do the above
>> example. There is an XSS flaw in it. A safe example to demonstrate the
>> risk is to pass this to the example script:
>>
>> http://example.com/risky.php/%22%3E%3Cscript%3Ealert('xss, time to be
>> worried')%3C/script%3E%3Cfoo
>>
>> You will get a harmless alert box, but there are a lot more nefarious
>> things that can be done. There is an easy fix though, don't use the
>> raw URL parsed by $_SERVER["PHP_SELF"].
>>
>> sanitized=htmlentities($_SERVER['PHP_SELF']); // prevent XSS insertion
>>
>> Then use:
>>
>> <form method="post" action="<?php echo $sanitized; ?>">
>
> $_SERVER["SCRIPT_NAME"] may be an alternative.
>

Yes, but you would lose and legitimate query string parameters if this
was a GET process.

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация