Home/ Questions/Q 1051073
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T16:52:21+00:00

I am a newbie to PHP still, so excuse this question if it seems

  • 0

I am a newbie to PHP still, so excuse this question if it seems silly, but I was wondering if this is safe usage of $_SERVER['PHP_SELF'].

From my reading about what’s wrong with it (prone to injection), I was wondering if it safe to compare it.

For example, I want the PHP/CSS stylesheet to change depending on the page the person is on, so in the PHP/CSS, it would have an if statement checking $_SERVER['PHP_SELF'] to see if the page their visiting requires a different stylesheet.

Example:

if ($_SERVER['PHP_SELF'] === $thisPage) { }

Could malicious code affect me this way? Could I simply validate/cleanse it, then use it?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A better code example would be:

    if ($_SERVER['SCRIPT_NAME'] === $thisPage) { }

    Still, it depends on the contents of $thisPage. If $thisPage contains $_SERVER['PHP_SELF'] too, you should change that to $_SERVER['SCRIPT_NAME']

    If you really can’t use alternatives like __FILE__ and $_SERVER['SCRIPT_NAME'], and make sure you understand the checks involved, yes.

    For example, this URL: http://example.com/sick.php/mwuahahahaha gives:

    /sick.php/mwuahahahaha

    Comparing is allowed, for non-critical things like CSS.

    If there’s no need to get the requested path (no URL rewrites), use $_SERVER['SCRIPT_NAME'].
    If you really need $_SERVER['PHP_SELF'] (rewrited URL), escape them when outputting (using htmlentities($_SERVER['PHP_SELF']).

    Overview of variables:

    • __FILE__: contains the full filesystem path from the active script. E.g.:
      <?php /*test.php*/ include 'file.php';?>
      <?php /*file.php*/ echo __FILE__;?>
      Requesting test.php gives something like: /var/www/file.php (and not /var/www/test.php)
    • $_SERVER['SCRIPT_FILENAME']: contains the filesystem path of the requested script, e.g. /var/www/test.php
    • $_SERVER['SCRIPT_NAME']: contains the path of the requested script (like a filesystem one, but with the document root stripped), e.g. /test.php (even when using rewrited URL’s)
    • $_SERVER['PHP_SELF']: contains a translated path (// -> /, . and .. resolved), but with additional path info.
    • $_SERVER['REQUEST_URI']: the worst of these, it contains the raw string in the request as in. GET [REQUEST_URI] HTTP/1.0. (escaped) nullbytes are still visible in here. This is just the raw data between GET (or whatever methode you use) and HTTP/1.0 (or whatever HTTP version you use)

    A comparison of these variables:

    I performed this test with nc, but telnet should suffice too. Server was from http://xampp.org/. The requested file is test.php, which contains:

    <?php
$properties = array('SCRIPT_FILENAME', 'SCRIPT_NAME', 'PHP_SELF', 'REQUEST_URI');
printf("% 15s: %s\n", '__FILE__', __FILE__);
foreach($properties as $property){
     printf('% 15s: %s', $property, $_SERVER[$property]."\n");
}
?>

    Test:

    $ nc localhost 80
GET ///somedir/./../////test.php/somedata%20here?q%00=%25 HTTP/1.0


HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix)
[stripped]

       __FILE__: /opt/lampp/htdocs/test.php
SCRIPT_FILENAME: /opt/lampp/htdocs/test.php
    SCRIPT_NAME: /////test.php
       PHP_SELF: /////test.php/somedata here
    REQUEST_URI: ///somedir/./../////test.php/somedata%20here?q%00=%25

    Using RewriteRule ^page/test test.php:

    $ nc localhost 80
GET ///somedir/./../page//.////test/somedata%20here?q%00=%25 HTTP/1.0

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix)
[stripped]

       __FILE__: /opt/lampp/htdocs/test.php
SCRIPT_FILENAME: /opt/lampp/htdocs/test.php
    SCRIPT_NAME: /test.php
       PHP_SELF: /test.php
    REQUEST_URI: ///somedir/./../page//.////test/somedata%20here?q%00=%25

    Conclusion: the safest variable to use in most cases is $_SERVER['SCRIPT_NAME'].

    • 0