Using PHP_SELF Safely and submitting forms to the same page

fetchit-21

I’ve lost count of the number of times i’ve seen this bit of HTML / PHP:

<form method="post" action="<?php print $_SERVER['PHP_SELF"]; ?>">

Looks pretty harmless doesn’t it, but it is a pretty dangerous shortcut to use. Imagin I get a user to visit the page the form is on by following this link, maybe hiding it in a short url:

http://example.com/formpage.php?"><script>alert(document.cookie);</script>

where I’ve added some html into the url which contains a script tag.

I could use this method to grab all your cookies and log in as you, or send ajax requests back to the site on your behalf. All very frightening. The quick solution is to turn html characters into their harmless entities using the php function htmlspecialchars. So the code would be

<form method="post" action="<?php print htmlspecialchars($_SERVER['PHP_SELF']); ?>">

But wait! The best way to submit to the same page with a form is to use and empty action attribute. It’s valid and it works.

<form method="post" action="">

Don’t believe me? Go tell Jesse. He also wrote about empty action attributes.

One comment.

  1. Thank you for pointing this out. I have just run an automated find/replace across my custom content management system (which i use for over 20 clients) and replaced every instance of $_SERVER[‘PHP_SELF’] with htmlspecialchars($_SERVER[‘PHP_SELF’])

    Thus-far in my preliminary testing this does not seem to have broken anything…though it replaced 237 instances of this (on just my installation…so multiply that my all the installs i have out there and this was a pretty gaping issue). Not all my references to this were in form submissions…most are on page redirects…but it seems to me that the same rule would apply there, so glad to replace it everywhere. There is plenty of testing still to go, but all looks good thusfar 🙂

    Thanks for helping to secure my website and that of anyone else reading your blog.