Re: Script ID?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On May 21, 2011, at 9:11 AM, tedd wrote:

Hi gang:

Okay, so,what's the "best" (i.e., most secure) way for your script to identify itself *IF* you plan on using that information later, such as the value in an action attribute in a form?

For example, I was using:

$self = basename($_SERVER['SCRIPT_NAME']);

<form name="my_form" action="<?php echo($self); ?>" method="post" >

However, that was susceptible to XSS.

http://www.mc2design.com/blog/php_self-safe-alternatives

says a simple action="#" would work.

But is there a better way?

What would do you do solve this?

Cheers,

tedd


--
-------
http://sperling.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Hi, everyone. I've been following this thread, and as I am not that familiar with XSS attacks, I went searching for information about them. I did find this:

	https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

which may help others like me begin to understand the issue. That said, I really don't understand how using something like $self=basename($_SERVER['SCRIPT_NAME']); becomes vulnerable to an XSS attack. Can someone explain to me how this works? Then I might be able to understand how to prevent it.

Thanks.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux