Services
Technology Web App Development Mobile App Development Windows App Development Database Development UI/UX Development Cloud Development SEO Digital Marketing Guest Posting Content Writing Artificial Intelligence Data Science ERP Development CRM Development CMS Development LMS Development Business Listing Blockchain Technology Startup Promotion
Products
Data Converter Cleaner TUC - Unit Converter Import Export Survey Manager Tweet Controller
Developer
Article Blog Forum Interview Beginner News Startup Quiz
Users
Career
Apply Job Internship
Pricing
Login Sign Up Get a Quote

forum

home / developersection / forums / how to avoid $_server["php_self"] exploits?
Ask Question
Anonymous User
Anonymous User

Other

I am a content writter !

Message

10 Answers

Francesca Molly
Francesca Molly 10 Oct 2018
Report Abuse
Post is removed by the Admin.
Pratik Srivastav
Pratik Srivastav 18 Sep 2018
Report Abuse
Post is removed by the Admin.
Pratik Srivastav
Pratik Srivastav 18 Sep 2018
Report Abuse
Post is removed by the Admin.
Pratik Srivastav
Pratik Srivastav 18 Sep 2018
Report Abuse
Post is removed by the Admin.
Pratik Srivastav
Pratik Srivastav 18 Sep 2018
Report Abuse
Post is removed by the Admin.
Pratik Srivastav
Pratik Srivastav 18 Sep 2018
Report Abuse
Post is removed by the Admin.
Pratik Srivastav
Pratik Srivastav 18 Sep 2018
Report Abuse
Post is removed by the Admin.
kayle willson
kayle willson 25 Aug 2018
Report Abuse
Post is removed by the Admin.
Ralson Toorkey
Ralson Toorkey 24 Jul 2018
Report Abuse
Post is removed by the Admin.
Prakash nidhi Verma
Prakash nidhi Verma 20 Jul 2018
Report Abuse

$_SERVER["PHP_SELF"] Exploits: 

<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>"> 
<form method="post" action="test_form.php">

<form method="post" action="test_form.php/"><script>alert('hacked')</script>

$_SERVER["PHP_SELF"] exploits can be avoided by using the htmlspecialchars() function. 

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> 

The htmlspecialchars() function converts special characters to HTML entities.Now, if the user tries to exploit the PHP_SELF variable. 

<form method="post"action="test_form.php/&quot;&gt;&lt;script&gt;alert('hacked')&lt;/script&gt;"> 

Validate Form Data With PHP : 

<script>location.href('http://www.hacked.com')</script> 

Example: 

<?php 
// define variables and set to empty values

$name = $email = $gender = $comment = $website = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {

  $name = test_input($_POST["name"]);

  $email = test_input($_POST["email"]);

  $website = test_input($_POST["website"]);

  $comment = test_input($_POST["comment"]);

  $gender = test_input($_POST["gender"]);

}

function test_input($data) {

  $data = trim($data);

  $data = stripslashes($data);

  $data = htmlspecialchars($data);

  return $data;

}?>

$_SERVER["REQUEST_METHOD"]. If the REQUEST_METHOD is POST, then the form has been submitted - and it should be validated. 

MindStick Training