PHP - 自我表单提交:$_SERVER['PHP_SELF'] OR action=""?

发布于 2024-09-17 06:07:06 字数 300 浏览 12 评论 0 原文

我只是意识到,在一些奇怪的情况下,我正在做我认为是自我提交的事情,而没有在操作表单属性上引用 PHP_SELF 。

我很困惑,我们可以使用

<?php echo filter_var($_SERVER['PHP_SELF'], FILTER_SANITIZE_STRING); ?>

Or

action="" 

吗?

如果不是,在什么情况下我们应该考虑其中一种或另一种?

提前致谢, MEM

I just realise that, for some weird circumstances, I was doing what I believe to be self submissions, without any reference to PHP_SELF on the action form attribute.

I'm puzzled, can we either use

<?php echo filter_var($_SERVER['PHP_SELF'], FILTER_SANITIZE_STRING); ?>

Or

action="" 

?

If not, on what circumstances should we considered one, or another?

Thanks in advance,
MEM

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

毁我热情 2024-09-24 06:07:06

您可以使用(PHP_SELF 或空字符串)。但为什么要使用 FILTER_SANITIZE_STRING 呢?在这种情况下,如果您的路径包含过滤字符(例如<),表单将不会提交。

我更喜欢给出一个字符串, 在使用空值时可能会引起麻烦。
例子:

<form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="post">
</form>

You can use either (PHP_SELF or empty string). but why would you use FILTER_SANITIZE_STRING for this? You'd better to use htmlentities() instead of filter_var in this case, if your path contains filtered characters (e.g. <), the form won't submit.

I prefer giving a string, <base href=> can cause trouble when using empty values.
Example:

<form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="post">
</form>
冰之心 2024-09-24 06:07:06

如果我没记错的话,Safari 对后者有问题,因此我放弃使用它。

If I'm not mistaken Safari had/has problems with the latter, therefore I dropped using it.

醉南桥 2024-09-24 06:07:06

不要使用 PHP_SELF,因为它也可以是 /index.php/">/

通常用于 XSS 攻击。

请使用索引 SCRIPT_NAME! SCRIPT_NAME 将始终指向实际的 PHP 文件,而不是用户输入。

编辑

有两个人指出, SCRIPT_NAME 在使用 mod_rewrite 时不起作用。这是错误的,我认为这些人应该在投票否决答案之前阅读

以下内容***:

$ cat .htaccess 
RewriteEngine On
RewriteRule testme/ /testmenot.php

$ cat testmenot.php 
<? echo $_SERVER['SCRIPT_NAME']; ?>

$ GET hostname/testme/
/testmenot.php

$_SERVER['REQUEST_URI'] 是。拿着“/testme/”,我想这些人会在 SCRIPT_NAME 中找到它,但在 PHP_SELF 中也找不到它。

/me 交叉手指
:E

Please do not use PHP_SELF, because this can also be /index.php/"><script>alert(1)</script>/.

It's often used for XSS Attacks.

Use the index SCRIPT_NAME instead! SCRIPT_NAME will always point to the actual PHP file and not to the user-input.

Regards

Edit:

Two people point out, that SCRIPT_NAME would not work when using mod_rewrite. This is false and I think these people should read before they vote answers down.

Here's a test scenario for you ***:

$ cat .htaccess 
RewriteEngine On
RewriteRule testme/ /testmenot.php

$ cat testmenot.php 
<? echo $_SERVER['SCRIPT_NAME']; ?>

$ GET hostname/testme/
/testmenot.php

$_SERVER['REQUEST_URI'] is holding "/testme/", which i guess these people would have expected in SCRIPT_NAME. But that can also not be found in PHP_SELF.

/me crosses fingers
:E

得不到的就毁灭 2024-09-24 06:07:06
     <?php
     session_start();
        $msg = '';

        if (isset($_POST['login']) && !empty($_POST['username']) 
           && !empty($_POST['password'])) {

           if ($_POST['username'] == 'abc' && 
              $_POST['password'] == 'xyz') {
              $_SESSION['valid'] = true;
              $_SESSION['timeout'] = time();
              $_SESSION['username'] = 'abc';
              ?>

              <script type="text/javascript">

          location.href="index.php"

        </script>
              <?php 
           }
           else 
           {
              $msg ='Invalid username or password';
           }
        }
     ?>
       <form
        action ="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); 
        ?>" method = "post">
              <input type = "text" class = "form-control" 
           name = "username" placeholder = "username" 
           required autofocus ></br> 
          <input type = "password" class = "form-control"
           name = "password" placeholder = "password" required>

      <input class="button" type = "submit"  name = "login" value="Log in"/>
     <?php
     session_start();
        $msg = '';

        if (isset($_POST['login']) && !empty($_POST['username']) 
           && !empty($_POST['password'])) {

           if ($_POST['username'] == 'abc' && 
              $_POST['password'] == 'xyz') {
              $_SESSION['valid'] = true;
              $_SESSION['timeout'] = time();
              $_SESSION['username'] = 'abc';
              ?>

              <script type="text/javascript">

          location.href="index.php"

        </script>
              <?php 
           }
           else 
           {
              $msg ='Invalid username or password';
           }
        }
     ?>
       <form
        action ="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); 
        ?>" method = "post">
              <input type = "text" class = "form-control" 
           name = "username" placeholder = "username" 
           required autofocus ></br> 
          <input type = "password" class = "form-control"
           name = "password" placeholder = "password" required>

      <input class="button" type = "submit"  name = "login" value="Log in"/>
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文