0

Today I read the w3school to learn php by myself. It says <form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">maybe cause the XSS when someone enters the some URL,such as "http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E". I don't konw why enter this URL will cause the $_SERVER["PHP_SELF"] return different result.Can someone tell the reason to me.Thanks.

ztelur
  • 55
  • 4
  • 2
    duplicate of http://stackoverflow.com/questions/6080022/php-self-and-xss – Eeji Sep 06 '14 at 15:03
  • 1
    If you are looking to post a form on `blah.php` to `blah.php`, you can just skip the action attribute. – James Sep 06 '14 at 15:44
  • Because `_SERVER[PHP_SELF]` is not simply `blah.php` from `/a/b/c/blah.php?a=b`, but rather `blah.php?a=b`. Since the params are also printed, you can put some javascript there, get it printed, and there, you got a XSS. – rev Sep 06 '14 at 16:21
  • Thanks.Tt's a duplicate problem.Next time I will take care to aks problem. Thanks a lot – ztelur Sep 07 '14 at 01:52

0 Answers0