What is the purpose of and php self?
In this article shows the usage of PHP_SELF variable and how to avoid PHP_SELF exploits. Show
What is PHP_SELF variable?PHP_SELF is a variable that returns the current script being executed. This variable returns the name and path of the current file (from the root folder). You can use this variable in the action field of the FORM. There are also certain exploits that you need to be aware of. We shall discuss all these points in this article.
We will now see some examples. a) Suppose your php file is located at the address: In this case, PHP_SELF will contain: b) Suppose your php file is located at the address: For this URL, PHP_SELF will be : Using the PHP_SELF variable in the action field of the formA common use of PHP_SELF variable is in the action field of the However, if you provide the name of the file in the action field, in case you happened to rename the file, you need to update the action field as well; or your forms will stop working. Using PHP_SELF variable you can write more generic code which can be used on any page and you do not need to edit the action field. Consider, you have a file called form-action.php and want to load the same page after the form is submitted. The usual form code will be:
We can use the PHP_SELF variable instead of “form-action.php”. The code becomes:
The complete code of “form-action.php”Here is the combined code, that contains both the form and the PHP script.
This PHP code is above the HTML
part and will be executed first. The first line of code is checking if the form is submitted or not. The name of the submit button is “submit”. When the submit button is pressed the If the form is not submitted the IF condition will be FALSE as there will be no values in What are PHP_SELF exploits and how to avoid themThe PHP_SELF variable is used to get the name and path of the current file but it can be used by the hackers too. If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute. See below for an example:
Now, if a user has entered the normal URL in the address bar like
This is the normal case. Now consider that the user has called this script by entering the following URL in the browser's address bar:
In this case, after PHP processing the code becomes:
You can see that this code has added a script tag and an alert command. When this page is be loaded, user will see an alert box. This is just a simple example how the PHP_SELF variable can be exploited. Any
JavaScript code can be added between the “script” tag. How to Avoid the PHP_SELF exploitsPHP_SELF exploits can be avoided by using the htmlentities() function. For example, the form code should be like this to avoid the PHP_SELF exploits:
The htmlentities() function encodes the HTML entities. Now if the user tries to exploit the PHP_SELF variable, the attempt will fail and the result of entering malicious code in URL will result in the following output:
As you can see, the script part is now ‘sanitized’. So don't forget to convert every occurrence of NOTE: Some PHP servers are configured to solve this issue and they automatically do this conversion.But, why take risk? make it a habit to use htmlentities() with PHP_SELF. See Also
What is the difference between self and this keyword in PHP?The keyword self is used to refer to the current class itself within the scope of that class only whereas, $this is used to refer to the member variables and function for a particular instance of a class.
What is PHP self exploit?PHP_SELF is a variable that returns the current script being executed. This variable returns the name and path of the current file (from the root folder). You can use this variable in the action field of the FORM. There are also certain exploits that you need to be aware of.
What is difference between self and static in PHP?self Vs static: The most basic difference between them is that self points to the version of the property of the class in which it is declared but in case of static, the property undergoes a redeclaration at runtime.
What is $this in PHP with example?$this is a reserved keyword in PHP that refers to the calling object. It is usually the object to which the method belongs, but possibly another object if the method is called statically from the context of a secondary object. This keyword is only applicable to internal methods.
|