On 5/21/2011 10:11 AM, tedd wrote:
Hi gang:
Okay, so,what's the "best" (i.e., most secure) way for your script to identify
itself *IF* you plan on using that information later, such as the value in an
action attribute in a form?
For example, I was using:
$self = basename($_SERVER['SCRIPT_NAME']);
<form name="my_form" action="<?php echo($self); ?>" method="post" >
However, that was susceptible to XSS.
http://www.mc2design.com/blog/php_self-safe-alternatives
says a simple action="#" would work.
But is there a better way?
What would do you do solve this?
Cheers,
tedd
Consider saving a hash for your script file in a session buffer.
Then compare the hash value for the new file.
Or, just save the file's create date as a session value and compare it with the
new one.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
