Coach, Mentor, Coder

I’m Harry Bailey and I help foster tech teams and the humans who form and fuel them. My work creates better outcomes, more value, happier humans and solid autonomous teams.

My experience as a product owner, business owner, tech strategist and software developer enables me take a team-focussed approach. I look to support value creation at every level from pair coding through to business strategy.

Get in touch

Using PHP_SELF Safely and submitting forms to the same page

I’ve lost count of the number of times i’ve seen this bit of HTML / PHP:

">

Looks pretty harmless doesn’t it, but it is a pretty dangerous shortcut to use. Imagin I get a user to visit the page the form is on by following this link, maybe hiding it in a short url:

http://example.com/formpage.php?">

where I’ve added some html into the url which contains a script tag.

I could use this method to grab all your cookies and log in as you, or send ajax requests back to the site on your behalf. All very frightening. The quick solution is to turn html characters into their harmless entities using the php function htmlspecialchars. So the code would be


But wait! The best way to submit to the same page with a form is to use and empty action attribute. It’s valid and it works.


Don’t believe me? Go tell Jesse. He also wrote about empty action attributes.

[carousel keywords=”php” tag=”fetchit-21″]