Deji Posted August 16, 2010 Share Posted August 16, 2010 I've got quite a lot of knowledge around PHP, but can't get my head around this.I have a form at the top of my page that should display on most pages. On submission of the form, it should redirect to the page that was used to send the data.However, since this form is inside of a require()'d PHP page, any PHP_SELF links straight to that page instead of what it was require()'d by. My PHP_SELF variables have been made safer by use of this: $phpself = basename(__FILE__);$_SERVER['PHP_SELF'] = substr ( $_SERVER['PHP_SELF'], 0, strpos ( $_SERVER['PHP_SELF'], $phpself )) . $phpself; But somehow, even if I manage to use this before including the page that displays the form and despite the form showing up with the html "action='page.php'", it still redirects to the homepage as if action hadn't been used at all. And I also wanted any GET parameters that were used to display the current page to remain in place.So is there any way to do this securely and such? Have a form that has been included by PHP redirect to the exact same page, with the same variables? Or am I better off using Javascript (grr) to set the cookies (or load the PHP script to set them) and refresh the page?.. I'd personally perfer a PHP method Link to comment Share on other sites More sharing options...
justsomeguy Posted August 16, 2010 Share Posted August 16, 2010 Look through the values in the $_SERVER array. You may want to use REQUEST_URI or HTTP_REFERER. Link to comment Share on other sites More sharing options...
Deji Posted August 16, 2010 Author Share Posted August 16, 2010 REQUEST_URI seems right... Do I have to make these safe in any way? I'm only using them for the form, but I'm still unsure of how most of these things are dangerous. It was some sort of Javascript hacking problem for PHP_SELF, right? Link to comment Share on other sites More sharing options...
justsomeguy Posted August 16, 2010 Share Posted August 16, 2010 It would be safest if you rebuilt the URL from something like $_SERVER['SCRIPT_NAME'] and $_SERVER['QUERY_STRING']. Break apart the query string values and validate them to make sure that the URL you're building only includes the variables that you allow. The danger is someone injecting Javascript code into the URL so that you print it in the form, and then they can capture the submit event or something like that to get the data in the form. It was some sort of Javascript hacking problem for PHP_SELF, right?I'm not sure what you mean. Link to comment Share on other sites More sharing options...
Deji Posted August 16, 2010 Author Share Posted August 16, 2010 Javascript XSS or whatever... Could be sent through a form or URL to execute Javascript or something. Or maybe I meant what you said.Rebuilding the URL could prove a problem, but I'll give it a shot.Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.