Junitar Posted March 24, 2017 Share Posted March 24, 2017 (edited) Hi, I'm new to PHP and I was wondering if it's perfectly safe to use $_SERVER['PHP_SELF'] like so: <body<?php if(basename($_SERVER['PHP_SELF']) == 'home.php') echo ' class="home"'; ?>> … </body> As far as I understand, the $_SERVER['PHP_SELF'] variable can only be exploited when used as a link or in a form/inputs, where the variable should be wrapped into htmlspecialchars() to counter XSS attacks, am I right? Edited March 24, 2017 by Junitar Link to comment Share on other sites More sharing options...
Ingolme Posted March 24, 2017 Share Posted March 24, 2017 There's no security issue there because the only thing that can be "hacked" is whether the body element has a class attribute or not. Link to comment Share on other sites More sharing options...
Junitar Posted March 24, 2017 Author Share Posted March 24, 2017 (edited) Thank you to confirm my thoughts. I had a doubt after I stumbled upon an old thread on stackoverflow where a guy implied this kind of code was possibly flawed. Edited March 24, 2017 by Junitar Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now