Reply to Re: Need expert help with advanced form Submit question

Your name:

Reply:


Posted by BootNic on 10/19/07 22:46

"Jonathan N. Little" <lws4art@centralva.net> wrote:
news:b7604$47190931$40cba7cb$32210@NAXS.COM:

> BootNic wrote:
>> "Jonathan N. Little" <lws4art@centralva.net> wrote:
>> news:46b3f$4718be9b$40cba7cb$16012@NAXS.COM:
>>
>>>> <form method="post" action="<? echo $_SERVER["PHP_SELF"]; ?>">
>>>> (rest of form...) </form>
>>> I feel compelled to warn you all that you should *not* do the above
>>> example. There is an XSS flaw in it. A safe example to demonstrate
>>> the risk is to pass this to the example script:
>>>
>>> http://example.com/risky.php/%22%3E%3Cscript%3Ealert('xss, time to
>>> be worried')%3C/script%3E%3Cfoo
>>>
>>> You will get a harmless alert box, but there are a lot more
>>> nefarious things that can be done. There is an easy fix though,
>>> don't use the raw URL parsed by $_SERVER["PHP_SELF"].
>>>
>>> sanitized=htmlentities($_SERVER['PHP_SELF']); // prevent XSS
>>> insertion
>>>
>>> Then use:
>>>
>>> <form method="post" action="<?php echo $sanitized; ?>">
>>
>> $_SERVER["SCRIPT_NAME"] may be an alternative.
>>
>
> Yes, but you would lose and legitimate query string parameters if this
> was a GET process.

Where would it go?

$_GET perhaps

--
BootNic Friday October 19, 2007 6:46 PM
Inform all the troops that communications have completely broken
down.
*Ashleigh Brilliant*

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация