Coach, Mentor, Strategist

I’m Harry Bailey and I help foster tech teams and the humans who help form and fuel them. My work creates better outcomes, more value, happier humans and solid autonomous teams.

I work with companies of all shapes and sizes who are struggling to make Scrum, SAFe and other agile frameworks work for all areas of their business.

My experience as an agility coach, product owner, business owner, tech strategist and software developer enables me take a team-focused approach. I look to support value creation at every level from pair coding through to business strategy.

Some describe my role as Delivery Coach and some as Agile Coach. My preference is Agility Coach. ‘Agile’ isn’t something to be achieve, and our focus as members of software development teams should be on removing the impediments that limit agility. I work with teams of all sizes and experience levels to be better tomorrow than they are today.

Using PHP_SELF Safely and submitting forms to the same page

I’ve lost count of the number of times i’ve seen this bit of HTML / PHP:

">

Looks pretty harmless doesn’t it, but it is a pretty dangerous shortcut to use. Imagin I get a user to visit the page the form is on by following this link, maybe hiding it in a short url:

http://example.com/formpage.php?"> 

where I’ve added some html into the url which contains a script tag.

I could use this method to grab all your cookies and log in as you, or send ajax requests back to the site on your behalf. All very frightening. The quick solution is to turn html characters into their harmless entities using the php function htmlspecialchars. So the code would be


But wait! The best way to submit to the same page with a form is to use and empty action attribute. It’s valid and it works.


Don’t believe me? Go tell Jesse. He also wrote about empty action attributes.

[carousel keywords=”php” tag=”fetchit-21″]