I’ve lost count of the number of times i’ve seen this bit of HTML / PHP:
<form method="post" action="<?php print $_SERVER['PHP_SELF"]; ?>">
Looks pretty harmless doesn’t it, but it is a pretty dangerous shortcut to use. Imagin I get a user to visit the page the form is on by following this link, maybe hiding it in a short url:
http://example.com/formpage.php?"><script>alert(document.cookie);</script>
where I’ve added some html into the url which contains a script tag.
I could use this method to grab all your cookies and log in as you, or send ajax requests back to the site on your behalf. All very frightening. The quick solution is to turn html characters into their harmless entities using the php function htmlspecialchars. So the code would be
<form method="post" action="<?php print htmlspecialchars($_SERVER['PHP_SELF']); ?>">
But wait! The best way to submit to the same page with a form is to use and empty action attribute. It’s valid and it works.
<form method="post" action="">
Don’t believe me? Go tell Jesse. He also wrote about empty action attributes.
Posted by Harry at 12:54 am on December 16th, 2009.
Categories: Methods, PHP, The Web.
Sound like a right pain in the arse? It’s surprisingly simple actually….
The steps to creating a simple locally run php Coda plugin:
You must have php installed and running locally.
Start the plugin file with theses lines:
(no space between < and ?php)
Where /use/bin/php is the path to you local php install
Continue Reading… »
Posted by Harry at 1:16 am on June 27th, 2009.
Categories: PHP, The Web, apps.
Facebook have a beta feature on their platform api called Preload FQL. It allows you to specify an FQL call to take place before the request for the page is made from your servers. This could save a full round trip of api request if you’re clever about it.
Well the wiki article is quite large but misses a few points I thought it worth noting…
Continue Reading… »
Posted by Harry at 12:16 am on May 7th, 2009.
Categories: Facebook, PHP, The Web.
When you try and use cookies in php, you can’t use dots / periods [.] in the names. So this won’t work:
$var = $_COOKIE['cookie.name.with.dots'];
You can set them with dots using Javascript, but when you go to access them, the dots magically become underscores [ _ ]
Continue Reading… »
Posted by Harry at 9:25 am on April 22nd, 2009.
Categories: PHP.
Occasionally working with SQL databases (not my beloved MySQL) I always struggled getting the number of rows in a consistant manner.
Until now…
Continue Reading… »
Posted by Harry at 8:52 pm on April 8th, 2009.
Categories: PHP, SQL.