How To Avoid $_SERVER["PHP_SELF"] Exploits?

Total Post:113

Points:791
PHP
 1529  View(s)
Ratings:
Rate this:

How To Avoid $_SERVER["PHP_SELF"] Exploits?

  1. Post:140

    Points:984
    Re: How To Avoid $_SERVER["PHP_SELF"] Exploits?

    $_SERVER["PHP_SELF"] Exploits:

    <form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>"> 
    <form method="post" action="test_form.php">
    <form method="post" action="test_form.php/"><script>alert('hacked')</script>

    $_SERVER["PHP_SELF"] exploits can be avoided by using the htmlspecialchars() function. 

    <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> 

    The htmlspecialchars() function converts special characters to HTML entities.Now, if the user tries to exploit the PHP_SELF variable. 

    <form method="post"action="test_form.php/&quot;&gt;&lt;script&gt;alert('hacked')&lt;/script&gt;"> 

    Validate Form Data With PHP : 

    <script>location.href('http://www.hacked.com')</script> 

    Example: 

    <?php 
    // define variables and set to empty values
    $name = $email = $gender = $comment = $website = "";
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
      $name = test_input($_POST["name"]);
      $email = test_input($_POST["email"]);
      $website = test_input($_POST["website"]);
      $comment = test_input($_POST["comment"]);
      $gender = test_input($_POST["gender"]);
    }
    function test_input($data) {
      $data = trim($data);
      $data = stripslashes($data);
      $data = htmlspecialchars($data);
      return $data;
    }?>

    $_SERVER["REQUEST_METHOD"]. If the REQUEST_METHOD is POST, then the form has been submitted - and it should be validated. 

Answer

Please check, If you want to make this post sponsored

You are not a Sponsored Member. Click Here to Subscribe the Membership.