1

I'm currently learning PHP. It seems like every time I learn something new, there's a million different things I need to do in order to make sure it doesn't become a security threat. Not complaining about this. Just saying that I'm kind of paranoid about just doing anything in PHP without making sure that it's secure first. So this may be totally unnecessary and a very stupid question, but since I'm new, I have no idea.

So you know how when using $_SERVER['PHP_SELF'] for the action attribute of a form, it's necessary to use htmlspecialchars() in order to prevent XSS? My question is: what if you are just putting the plain old URL. Example:

<form action="process.php">

Is it necessary to do anything to "process.php" before just putting it in there?

Jeremy
  • 1
  • 85
  • 340
  • 366
Kevin Ok
  • 113
  • 2
  • 7
  • Not unless your application provides a way for *users* to manipulate `$_SERVER['PHP_SELF']`. – Marty Jun 15 '17 at 01:07
  • Relevant reading. https://stackoverflow.com/questions/14093316/why-use-serverphp-self-instead-of – CollinD Jun 15 '17 at 01:08
  • @CollinD So basically, it's OK to just hardcode the plain text of the URL into the action attribute without any security measures, right? – Kevin Ok Jun 15 '17 at 01:14

2 Answers2

1

You should use htmlspecialchars() or an equivalent text-to-HTML encoding function on $_SERVER['PHP_SELF'] or any other text variables.

The question of trusted/untrusted sources of data is missing a more fundamental point: you should not treat plain text as though it is HTML. If you are going to ever display a text value, you need escape/encode it as HTML, whether it comes from a safe source or not. (This often makes things easier to reason about: most sources of data are plain text, and should always be escaped. You only need to careful consider the safety of the data source for the few cases that you're getting HTML data, so there are fewer chances to make a mistake.)

This variable contains a text value, not an HTML value, so you must encode it!

Is it likely that $_SERVER['PHP_SELF'] will ever contain a value that is actually dangerous? No. It's very unlikely. I've seen some weird cases where it could cause a syntax error in your page, but nothing exploitable (although in a hypothetically contrived situation it could happen). But you should still encode it, because it's the right thing to do, and this habit will protect you in other cases.

If you're just hard-coding the value action="process.php" into your source code, you're fine. You don't have anything to worry about: you can see that there are no characters that requiring encoding in there. It's as though it's already encoded. And in this case, you don't need to worry about an accidental rename to a future careless filename causing unexpected trouble.

Jeremy
  • 1
  • 85
  • 340
  • 366
-1

No. $_SERVER['PHP_SELF'] is defined by PHP runtime. You don't need to escape this value, unless you do not trust the name of the script itself. If you are the author of file name, then this will be perfectly safe. If, however, the file names are created by a user, then you should make sure that the file name has a safe set of characters.

Ryan
  • 14,392
  • 8
  • 62
  • 102