How To Avoid $_SERVER["PHP_SELF"] Exploits?

<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>"> 
<form method="post" action="test_form.php">

<form method="post" action="test_form.php/"><script>alert('hacked')</script>

$_SERVER["PHP_SELF"] exploits can be avoided by using the htmlspecialchars() function.

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

The htmlspecialchars() function converts special characters to HTML entities.Now, if the user tries to exploit the PHP_SELF variable.

<form method="post"action="test_form.php/&quot;&gt;&lt;script&gt;alert('hacked')&lt;/script&gt;">

Validate Form Data With PHP :

<script>location.href('http://www.hacked.com')</script>

Example:

<?php 
// define variables and set to empty values

$name = $email = $gender = $comment = $website = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {

  $name = test_input($_POST["name"]);

  $email = test_input($_POST["email"]);

  $website = test_input($_POST["website"]);

  $comment = test_input($_POST["comment"]);

  $gender = test_input($_POST["gender"]);

}

function test_input($data) {

  $data = trim($data);

  $data = stripslashes($data);

  $data = htmlspecialchars($data);

  return $data;

}?>

$_SERVER["REQUEST_METHOD"]. If the REQUEST_METHOD is POST, then the form has been submitted - and it should be validated.

forum

How To Avoid $_SERVER["PHP_SELF"] Exploits?

Anonymous User

Can you answer this question?

10 Answers

Liked By