Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is there any risk of using $_SERVER['REQUEST_URI'] or $_SERVER['PHP_SELF'] as the action in a form or as the href in a link?
If so, what can be done to alleviate the risk?
You make a form on http://www.example.com/form.php. A year from now, you forget the URL is just grabbing whatever URL the page is loaded on.
At some point let’s say you’ve added a ‘delete everything’ global option in your framework as part of a completely different (slightly odd) request.
Now, somebody sends you this link: http://www.example.com/form.php?delete_everything=true. Since you’re just grabbing that URL and setting it as the action, that is now the action on your form. Oops. XSS attacks work essentially in this way.
Always assume that your code is going to be used (even by you, and especially by hackers) in ways that you don’t expect when you first write it.
How do you get round it? Hardcode the URL! You can include a function which returns the URL. In effect, this is how frameworks like Symfony or CodeIgniter solve it.