Re: Self-referencing form action
- From: Scott Johnson <futureshock@xxxxxxx>
- Date: Sun, 28 Jun 2009 11:48:26 -0700
Beauregard T. Shagnasty wrote:
Scott Johnson wrote:
Beauregard T. Shagnasty wrote:6. action="<?php echo $_SERVER['SCRIPT_NAME']?>"['SCRIPT_NAME'] may or may not work, it is not guaranteed.
// prevent XSS insertion
$sanitized=htmlentities($_SERVER['SCRIPT_NAME']);
7. action="<?php echo $sanitized; ?>">
['PHP_SELF'] will always work.
So far, SCRIPT_NAME has worked fine on any hosts I use. What would cause
it to fail?
As far as the XSS insertion I am not familiar enough with that to
comment.
Neither do I; it is just what the knowledgeable person said. :-)
SCRIPT_NAME is not a native PHP variable, and won't be available if it is not implemented on the web server (I think it is a CGI engine thing, can't remember) I know a while back I had an issue and found it not to be 100%. Things might have changed.
I am pretty sure it will be a good chance that it is implemented, but I just like the odds the other way.
.
- Follow-Ups:
- Re: Self-referencing form action
- From: Mason Barge
- Re: Self-referencing form action
- References:
- Self-referencing form action
- From: Mason Barge
- Re: Self-referencing form action
- From: Beauregard T. Shagnasty
- Re: Self-referencing form action
- From: Scott Johnson
- Re: Self-referencing form action
- From: Beauregard T. Shagnasty
- Self-referencing form action
- Prev by Date: Transferring £ symbol into/out of UTF-8 database
- Next by Date: Detecting browser device
- Previous by thread: Re: Self-referencing form action
- Next by thread: Re: Self-referencing form action
- Index(es):
Relevant Pages
|
