当前位置：文江博客话题详情

PHP form-submit self

PHP - 自我表单提交：$_SERVER['PHP_SELF'] OR action=""?

发布于 2024-09-17 06:07:06 字数 300 浏览 7 评论 0 原文

我只是意识到，在一些奇怪的情况下，我正在做我认为是自我提交的事情，而没有在操作表单属性上引用 PHP_SELF 。

我很困惑，我们可以使用

<?php echo filter_var($_SERVER['PHP_SELF'], FILTER_SANITIZE_STRING); ?>

action=""

吗？

如果不是，在什么情况下我们应该考虑其中一种或另一种？

提前致谢， MEM

原文

I just realise that, for some weird circumstances, I was doing what I believe to be self submissions, without any reference to PHP_SELF on the action form attribute.

I'm puzzled, can we either use

<?php echo filter_var($_SERVER['PHP_SELF'], FILTER_SANITIZE_STRING); ?>

action=""

If not, on what circumstances should we considered one, or another?

Thanks in advance,
MEM

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

毁我热情 2024-09-24 06:07:06

您可以使用（PHP_SELF 或空字符串）。但为什么要使用 FILTER_SANITIZE_STRING 呢？在这种情况下，如果您的路径包含过滤字符（例如<)，表单将不会提交。

我更喜欢给出一个字符串，在使用空值时可能会引起麻烦。
例子：

<form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="post">
</form>

You can use either (PHP_SELF or empty string). but why would you use FILTER_SANITIZE_STRING for this? You'd better to use htmlentities() instead of filter_var in this case, if your path contains filtered characters (e.g. <), the form won't submit.

I prefer giving a string, <base href=> can cause trouble when using empty values.
Example:

<form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="post">
</form>

回复收藏 0 原文

冰之心 2024-09-24 06:07:06

如果我没记错的话，Safari 对后者有问题，因此我放弃使用它。

回复收藏 0 原文

醉南桥 2024-09-24 06:07:06

请不要使用 PHP_SELF，因为它也可以是 /index.php/">/。

通常用于 XSS 攻击。

请使用索引 SCRIPT_NAME！ SCRIPT_NAME 将始终指向实际的 PHP 文件，而不是用户输入。

编辑

：

有两个人指出， SCRIPT_NAME 在使用 mod_rewrite 时不起作用。这是错误的，我认为这些人应该在投票否决答案之前阅读

以下内容***：

$ cat .htaccess 
RewriteEngine On
RewriteRule testme/ /testmenot.php

$ cat testmenot.php 
<? echo $_SERVER['SCRIPT_NAME']; ?>

$ GET hostname/testme/
/testmenot.php

$_SERVER['REQUEST_URI'] 是。拿着“/testme/”，我想这些人会在 SCRIPT_NAME 中找到它，但在 PHP_SELF 中也找不到它。

/me 交叉手指
：E

Please do not use PHP_SELF, because this can also be /index.php/"><script>alert(1)</script>/.

It's often used for XSS Attacks.

Use the index SCRIPT_NAME instead! SCRIPT_NAME will always point to the actual PHP file and not to the user-input.

Regards

Edit:

Two people point out, that SCRIPT_NAME would not work when using mod_rewrite. This is false and I think these people should read before they vote answers down.

Here's a test scenario for you ***:

$ cat .htaccess 
RewriteEngine On
RewriteRule testme/ /testmenot.php

$ cat testmenot.php 
<? echo $_SERVER['SCRIPT_NAME']; ?>

$ GET hostname/testme/
/testmenot.php

$_SERVER['REQUEST_URI'] is holding "/testme/", which i guess these people would have expected in SCRIPT_NAME. But that can also not be found in PHP_SELF.

/me crosses fingers
:E

回复收藏 0 原文

得不到的就毁灭 2024-09-24 06:07:06

     <?php
     session_start();
        $msg = '';

        if (isset($_POST['login']) && !empty($_POST['username']) 
           && !empty($_POST['password'])) {

           if ($_POST['username'] == 'abc' && 
              $_POST['password'] == 'xyz') {
              $_SESSION['valid'] = true;
              $_SESSION['timeout'] = time();
              $_SESSION['username'] = 'abc';
              ?>

              <script type="text/javascript">

          location.href="index.php"

        </script>
              <?php 
           }
           else 
           {
              $msg ='Invalid username or password';
           }
        }
     ?>
       <form
        action ="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); 
        ?>" method = "post">
              <input type = "text" class = "form-control" 
           name = "username" placeholder = "username" 
           required autofocus ></br> 
          <input type = "password" class = "form-control"
           name = "password" placeholder = "password" required>

      <input class="button" type = "submit"  name = "login" value="Log in"/>

     <?php
     session_start();
        $msg = '';

        if (isset($_POST['login']) && !empty($_POST['username']) 
           && !empty($_POST['password'])) {

           if ($_POST['username'] == 'abc' && 
              $_POST['password'] == 'xyz') {
              $_SESSION['valid'] = true;
              $_SESSION['timeout'] = time();
              $_SESSION['username'] = 'abc';
              ?>

              <script type="text/javascript">

          location.href="index.php"

        </script>
              <?php 
           }
           else 
           {
              $msg ='Invalid username or password';
           }
        }
     ?>
       <form
        action ="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); 
        ?>" method = "post">
              <input type = "text" class = "form-control" 
           name = "username" placeholder = "username" 
           required autofocus ></br> 
          <input type = "password" class = "form-control"
           name = "password" placeholder = "password" required>

      <input class="button" type = "submit"  name = "login" value="Log in"/>

回复收藏 0 原文

~没有更多了~