Re: Re: RewriteRules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jan 13, 2009 at 1:32 PM, Jason Pruim <japruim@xxxxxxxxxx> wrote:
>
> On Jan 13, 2009, at 1:29 PM, Eric Butera wrote:
>
> On Tue, Jan 13, 2009 at 1:14 PM, Jason Pruim <japruim@xxxxxxxxxx> wrote:
>
> On Jan 13, 2009, at 9:46 AM, Ashley Sheridan wrote:
>
> On Tue, 2009-01-13 at 09:33 -0500, tedd wrote:
>
> At 2:33 PM +0000 1/13/09, Ashley Sheridan wrote:
>
> On Tue, 2009-01-13 at 09:20 -0500, tedd wrote:
>
>  Jason:
>  In addition to what everyone else has said, try this:
>  $self = basename($_SERVER['SCRIPT_NAME'])
>  I use it for forms -- you might find it useful.
>  Cheers,
>  tedd
>  --
>  -------
>  http://sperling.com  http://ancientstones.com  http://earthstones.com
>
> No need to use it on forms, as leaving the action attribute empty means
> the form sends to itself anyway.
> Ash
>
> Ash:
> That's what I've said for years, but (I think it was on this list,
> but too lazy to look) there was a concern that some browsers may not
> follow that default behavior.
> However, using what I provided will work regardless.
> Cheers,
> tedd
> --
> -------
> http://sperling.com  http://ancientstones.com  http://earthstones.com
>
> I've not yet seen a browser that doesn't do this, and it's pretty old
> HTML really, so I don't see a reason why any new browsers wouldn't
> incorporate it.
>
> I prefer to be specific in my programming :)
> What I typically do with self submitting forms is:
> <?PHP
> $self = $_SERVER['PHP_SELF'];
>
> echo <<<HTML
>        <form method="post" action="{$self}">
> ...
> </form>
> HTML;
> ?>
> But to each his (Or her) own right?
>
> --
> Jason Pruim
> japruim@xxxxxxxxxx
> 616.399.2355
>
>
>
>
> You know that's asking for xss, right?
>
> Not until just now.... But I'll be looking into that and changing it to
> something more secure very shortly.
> --
> Jason Pruim
> japruim@xxxxxxxxxx
> 616.399.2355
>
>
>

This might help:
http://www.thespanner.co.uk/2008/01/14/exploiting-php-self/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux