On Sat, May 21, 2011 at 3:11 PM, tedd <tedd@xxxxxxxxxxxx> wrote: > Hi gang: > > Okay, so,what's the "best" (i.e., most secure) way for your script to > identify itself *IF* you plan on using that information later, such as the > value in an action attribute in a form? > > For example, I was using: > > $self = basename($_SERVER['SCRIPT_NAME']); > > <form name="my_form" action="<?php echo($self); ?>" method="post" > > > However, that was susceptible to XSS. > > http://www.mc2design.com/blog/php_self-safe-alternatives > > says a simple action="#" would work. > > But is there a better way? > > What would do you do solve this? > If you want the form to submit to the same URL that generated the form, I'd recommend using $_SERVER['REQUEST_URI']. You can also omit the action attribute entirely which, in my experience, will cause the browser to submit to the current URL. I have no idea whether that's part of the HTML spec, but that's the behaviour I've always observed. Alternatively, by my reckoning, you could make your use of PHP_SELF safe by applying rawurlencode to $self when you put it in the action, but that's only after 30 seconds of thinking about it. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/
