On Tuesday 26 December 2006 5:11 pm, Joseph Crawford wrote: > Chris, > > do you suggest hardcoding the filenames even when referencing the same > file that is executing?
There was a long thread about this in July 2005. Executive summary: PHP_SELF intentionally includes extra URL garbage (or valuable URL variables, take your pick) tacked on by the user. Don't use it without knowing what it does. Here's what you get when you hit the URL: http://example.com/info.php/testing1?testing2 : _SERVER["REQUEST_URI"] /info.php/testing1?testing2 _SERVER["PHP_SELF"] /info.php/testing1 _SERVER["SCRIPT_NAME"] /info.php Get it? If you don't want that extra stuff tacked on by the user, use the correct _SERVER variable. If you use REQUEST_URI or PHP_SELF, be aware the user can affect the contents of that variable. 99% of the time, you want SCRIPT_NAME, not PHP_SELF. By the way, here's another test: http://example.com/info.php/testing<script>?testing : _SERVER["REQUEST_URI"] /info.php/testing%3Cscript%3E?testing _SERVER["PHP_SELF"] /info.php/testing<script> _SERVER["SCRIPT_NAME"] /info.php Note that the REQUEST_URI variable, which comes from Apache, is encoded, while the PHP_SELF variable, which comes from PHP, is not. So PHP 5.2.0 still makes it possible to shoot yourself in the foot, and as I've pointed out below, well-known PHP authorities actually recommend that you do so. Here's the email that I sent at in July 2005: Subject: Re: [nyphp-talk] $_SERVER['PHP_SELF'} not working? Date: Friday 22 July 2005 12:05 pm From: Michael Sims <[EMAIL PROTECTED]> To: NYPHP Talk <[email protected]> On Thursday 21 July 2005 17:16, Dan Cech wrote: > You could put: > > $_SERVER['PHP_SELF'] = $_SERVER['SCRIPT_NAME']; > > into one of your common include files. Yes. I'm afraid I don't understand this entire thread. Apparently because of the numerous PHP developer articles recommending it, and because of the php.net page which for whatever reason lists it first on the list of predefined variables, people are using PHP_SELF when they really want SCRIPT_NAME. SCRIPT_NAME solves all the problems mentioned in this thread - it's just the script name, without any extra garbage that might be tacked on by the user. PHP_SELF explicitly includes that extra garbage, so solutions in this thread that involve stripping the garbage off of PHP_SELF to make it safe are really, really missing the point - just use SCRIPT_NAME instead. Please don't use FORM ACTION=""; according to the spec, what the browser does with that is undefined, so even if it works in current browsers, it might not work in future ones. People can be forgiven for making this mistake -- I'm here holding my copy of _Learning PHP 5_, and it recommends on page 8 and again on page 86 the use of PHP_SELF for self-referencing forms, ahem -- but it's time to put it to bed: PHP_SELF is unsafe for any usage where it is echoed back to the page. Michael Sims _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
