a notice

Use of PHP_SELF considered harmful

Warning: $_SERVER['PHP_SELF'] can include arbitrary user input.

As discussed in this very long thread on nyphp-talk (thanks Dan and George, for schooling us!), using Apache the request "http://example.com/info.php/attack%20here" will run /info.php, but $_SERVER['PHP_SELF'] will equal "/info.php/attack here". This is a feature, but it means that PHP_SELF must be treated as user input.

The attack string could contain urlencoded HTML and JavaScript (cross-site scripting) or it could contain urlencoded linebreaks (HTTP response-splitting).

The use of $_SERVER['SCRIPT_NAME'] is recommended instead.

This notice was posted to the PHP Manual's $_SERVER documentation page as well (on behalf of New York PHP).

By Chris Snyder on July 24, 2005 at 11:05am

jump to top