小心$_SERVER['PHP_SELF]使用漏洞

stephen

如果你習慣在FORM傳遞資料時用PHP_SELF，那就必須注意Cross-site scripting attacks的問題!!

一般在寫  FORM 時，習慣都會在 傳址網頁寫
action=$_SERVER['PHP_SELF']
但是有時這將導致XSS的漏洞攻擊，簡單說明如下。

  假設此為 test.php 內容：

1. <form action="<?=$_SERVER['PHP_SELF'];?>">
   
2.    <input type="submit" value="Submit!">
   
3.   </form>

複製代碼

如果輸入者在網址列搞花樣

1. test.php/%22%3E%3Cscript%3Ealert('Hello,word')%3C/script%3E

複製代碼

結果會變成下面的狀態

1. <form action="test.php/"><script>alert('xss')</script>"

複製代碼

就這樣可以把 script 勘入搞花樣了，最安全的方式還是要將任何外部引用資料做檢查及安全處理($_GET，$_POST，$_COOKIE等)
最簡單的方式就是 htmlentities
所以應該如下才是安全的寫法

1. <form action="<?=htmlentities($_SERVER['PHP_SELF']); ?>">

複製代碼

當然，你直接寫成

1. <form action="test.php">

複製代碼

當然是更安全，不過就喪失程式設計的通用性了，見仁見智，看個人習慣吧!!

小心$_SERVER['PHP_SELF]使用漏洞

wzifen7629

A man walks into a bar has a few drinks and asks what his tab was. The bartender replies that it is twenty dollars plus tip. The guy says EverQuest 2 gold, "I'll bet you my tab double or nothing that I can bite my eye." The bartender accepts the bet wow gold, and the guy pulls out his glass eye and bites it.He has a few more drinks and asks for his bill again. The bartender reports that his bill now is thirty dollars plus tip. He bets the bartender he can bite his other eye. The bartender accepts Maple Story Mesos, knowing the man can't possibly have two glass eyes. The guy then proceeds by taking out his false teeth and biting his other eye.