Posts categorized “Methods”.

Using PHP_SELF Safely and submitting forms to the same page

fetchit-21

I’ve lost count of the number of times i’ve seen this bit of HTML / PHP:

<form method="post" action="<?php print $_SERVER['PHP_SELF"]; ?>">

Looks pretty harmless doesn’t it, but it is a pretty dangerous shortcut to use. Imagin I get a user to visit the page the form is on by following this link, maybe hiding it in a short url:

http://example.com/formpage.php?"><script>alert(document.cookie);</script>

where I’ve added some html into the url which contains a script tag.

I could use this method to grab all your cookies and log in as you, or send ajax requests back to the site on your behalf. All very frightening. The quick solution is to turn html characters into their harmless entities using the php function htmlspecialchars. So the code would be

<form method="post" action="<?php print htmlspecialchars($_SERVER['PHP_SELF']); ?>">

But wait! The best way to submit to the same page with a form is to use and empty action attribute. It’s valid and it works.

<form method="post" action="">

Don’t believe me? Go tell Jesse. He also wrote about empty action attributes.

Pipe / Send Email to a PHP Script

Sending (or piping) emails to a php script would allows a whole world of fun. I had a spare 30 minutes the other night so I sat down, read a few blog posts and forums and set up emails to pipe to a php script.

Continue Reading… »

PHP coding standards I agree with

In all my time coding php I have read a lot of php coding standards.

Finally I have found one that I almost agree with completely. My only wobble is regarding the suggestion not to use getters and setters in classes.

PHP Coding standards

The PHP Coding Standard is with permission based on Todd Hoff‘s C++ Coding Standard.
Rewritten for PHP by Fredrik Kristiansen / DB Medialab, Oslo 2000-2003.