Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am using this code below to control pagination. It’s using $_SERVER['PHP_SELF'] so I wanted to know if its secure this way or what do I have to do to make $_SERVER['PHP_SELF'] secure?
<?php
if($rows > 10) {
echo '<a id=nex href="'.$_SERVER['PHP_SELF'].'?pg='.($startrow+10).'">
Next</a>';
}
$prev = $startrow - 10;
if ($prev >= 0) {
echo '<a id=pex href="'.$_SERVER['PHP_SELF'].'?pg='.$prev.'">
Previous</a>';
}
?>
To prevent XSS attacks, you should use
htmlspecialchars()orfilter_input()to escape$_SERVER['PHP_SELF']. See this question for more info.Note also that if you start an
hrefattribute with?and no path, the browser will append the subsequent query string to the current request, much like a relative link would append to the same directory.I’m assuming that you’re sanitizing
$prevand$startrowelsewhere. The mathematical comparisons should make them safe, but if they’re coming from $_GET it’s a good idea to run them throughintval()before you do anything else.