On Sat, 2011-05-21 at 10:11 -0400, tedd wrote: > Hi gang: > > Okay, so,what's the "best" (i.e., most secure) way for your script to > identify itself *IF* you plan on using that information later, such > as the value in an action attribute in a form? > > For example, I was using: > > $self = basename($_SERVER['SCRIPT_NAME']); > > <form name="my_form" action="<?php echo($self); ?>" method="post" > > > However, that was susceptible to XSS. > > http://www.mc2design.com/blog/php_self-safe-alternatives > > says a simple action="#" would work. > > But is there a better way? > > What would do you do solve this? > > Cheers, > > tedd > > > -- > ------- > http://sperling.com/ > I never use the action attribute if the form is posting to itself, as the default action I've seen in any browser since the days of IE3 has been for forms to post to themselves if no other action has been specified. Having read that link you posted, I realise that missing the action attribute out altogether would too be affected by the <base> element. However, looking at the output of $_SERVER again, couldn't you just subtract the value of PATH_INFO from the value of PHP_SELF, or only use the portion of PHP self that didn't include PATH_INFO? <?php if(isset($_SERVER['PATH_INFO']) { $safe_self = substr($_SERVER['PHP_SELF'], 0, strpos($_SERVER['PHP_SELF'], $_SERVER['PATH_INFO'])); } else { $safe_self = $_SERVER['PHP_SELF']; } echo $safe_self; ?> I've just tested this here and it seems to do the trick -- Thanks, Ash http://www.ashleysheridan.co.uk
