Using PHP_SELF in the action field of a form
In this article shows the usage of PHP_SELF variable and how to avoid PHP_SELF exploits.
What is PHP_SELF variable?
PHP_SELF is a variable that returns the current script being executed. This variable returns the name and path of the current file (from the root folder). You can use this variable in the action field of the FORM. There are also certain exploits that you need to be aware of. We shall discuss all these points in this article. We will now see some examples. echo $_SERVER[‘PHP_SELF’];
a) Suppose your php file is located at the address: http://www.yourserver.com/form-action.php
In this case, PHP_SELF will contain: «/form-action.php»
b) Suppose your php file is located at the address: http://www.yourserver.com/dir1/form-action.php
For this URL, PHP_SELF will be : «/dir1/form-action.php»
Using the PHP_SELF variable in the action field of the form
A common use of PHP_SELF variable is in the action field of the tag. The action field of the FORM instructs where to submit the form data when the user presses the “submit” button. It is common to have the same PHP page as the handler for the form as well.
However, if you provide the name of the file in the action field, in case you happened to rename the file, you need to update the action field as well; or your forms will stop working.
Using PHP_SELF variable you can write more generic code which can be used on any page and you do not need to edit the action field.
Consider, you have a file called form-action.php and want to load the same page after the form is submitted. The usual form code will be:
form method="post" action="form-action.php" > We can use the PHP_SELF variable instead of “form-action.php”. The code becomes:
form name="form1" method="post" action=" $_SERVER['PHP_SELF']; ?>" > The complete code of “form-action.php”
Here is the combined code, that contains both the form and the PHP script.
php if(isset($_POST[‘submit’])) $name = $_POST[‘name’]; echo «User Has submitted the form and entered this name : $name «; echo «
You can use the following form again to enter a new name.»; > ?> «>
This PHP code is above the HTML part and will be executed first. The first line of code is checking if the form is submitted or not. The name of the submit button is “submit”. When the submit button is pressed the $_POST[‘submit’] will be set and the IF condition will become true. In this case, we are showing the name entered by the user.
If the form is not submitted the IF condition will be FALSE as there will be no values in $_POST[‘submit’] and PHP code will not be executed. In this case, only the form will be shown.
What are PHP_SELF exploits and how to avoid them
The PHP_SELF variable is used to get the name and path of the current file but it can be used by the hackers too. If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute.
form name="test" action=" $_SERVER['PHP_SELF']; ?>" method="post"> Now, if a user has entered the normal URL in the address bar like http://www.yourdomain.com/form-action.php the above code will be translated as:
form name="test" action="form-action.php" method="post"> Now consider that the user has called this script by entering the following URL in the browser’s address bar:
In this case, after PHP processing the code becomes:
form name="test" method="post" action="form-action.php"/> script>alert('xss')script>foo""> You can see that this code has added a script tag and an alert command. When this page is be loaded, user will see an alert box. This is just a simple example how the PHP_SELF variable can be exploited.
Any JavaScript code can be added between the “script” tag. . A hacker can link to a JavaScript file that may be located on another server. That JavaScript file can hold the malicious code that can alter the global variables and can also submit the form to another address to capture the user data, for example.
How to Avoid the PHP_SELF exploits
PHP_SELF exploits can be avoided by using the htmlentities() function. For example, the form code should be like this to avoid the PHP_SELF exploits:
form name="test" action="$_SERVER['PHP_SELF']); ?>" method="post"> The htmlentities() function encodes the HTML entities. Now if the user tries to exploit the PHP_SELF variable, the attempt will fail and the result of entering malicious code in URL will result in the following output:
form name="test" method="post" action="form-action.php/"><script>alert('xss')& lt;/script><foo"> As you can see, the script part is now ‘sanitized’.
So don’t forget to convert every occurrence of «$_SERVER[‘PHP_SELF’]» into «htmlentities($_SERVER[‘PHP_SELF’])» throughout your script.
NOTE: Some PHP servers are configured to solve this issue and they automatically do this conversion.But, why take risk? make it a habit to use htmlentities() with PHP_SELF.
See Also
$_SERVER
$_SERVER is an array containing information such as headers, paths, and script locations. The entries in this array are created by the web server, therefore there is no guarantee that every web server will provide any of these; servers may omit some, or provide others not listed here. However, most of these variables are accounted for in the » CGI/1.1 specification, and are likely to be defined.
Note: When running PHP on the command line most of these entries will not be available or have any meaning.
In addition to the elements listed below, PHP will create additional elements with values from request headers. These entries will be named HTTP_ followed by the header name, capitalized and with underscores instead of hyphens. For example, the Accept-Language header would be available as $_SERVER[‘HTTP_ACCEPT_LANGUAGE’] .
Indices
‘ PHP_SELF ‘ The filename of the currently executing script, relative to the document root. For instance, $_SERVER[‘PHP_SELF’] in a script at the address http://example.com/foo/bar.php would be /foo/bar.php . The __FILE__ constant contains the full path and filename of the current (i.e. included) file. If PHP is running as a command-line processor this variable contains the script name. ‘argv’ Array of arguments passed to the script. When the script is run on the command line, this gives C-style access to the command line parameters. When called via the GET method, this will contain the query string. ‘argc’ Contains the number of command line parameters passed to the script (if run on the command line). ‘ GATEWAY_INTERFACE ‘ What revision of the CGI specification the server is using; e.g. ‘CGI/1.1’ . ‘ SERVER_ADDR ‘ The IP address of the server under which the current script is executing. ‘ SERVER_NAME ‘ The name of the server host under which the current script is executing. If the script is running on a virtual host, this will be the value defined for that virtual host.
Note: Under Apache 2, UseCanonicalName = On and ServerName must be set. Otherwise, this value reflects the hostname supplied by the client, which can be spoofed. It is not safe to rely on this value in security-dependent contexts.
‘ SERVER_SOFTWARE ‘ Server identification string, given in the headers when responding to requests. ‘ SERVER_PROTOCOL ‘ Name and revision of the information protocol via which the page was requested; e.g. ‘HTTP/1.0’ ; ‘ REQUEST_METHOD ‘ Which request method was used to access the page; e.g. ‘GET’ , ‘HEAD’ , ‘POST’ , ‘PUT’ .
Note:
PHP script is terminated after sending headers (it means after producing any output without output buffering) if the request method was HEAD .
‘ REQUEST_TIME ‘ The timestamp of the start of the request. ‘ REQUEST_TIME_FLOAT ‘ The timestamp of the start of the request, with microsecond precision. ‘ QUERY_STRING ‘ The query string, if any, via which the page was accessed. ‘ DOCUMENT_ROOT ‘ The document root directory under which the current script is executing, as defined in the server’s configuration file. ‘ HTTPS ‘ Set to a non-empty value if the script was queried through the HTTPS protocol. ‘ REMOTE_ADDR ‘ The IP address from which the user is viewing the current page. ‘ REMOTE_HOST ‘ The Host name from which the user is viewing the current page. The reverse dns lookup is based on the REMOTE_ADDR of the user.
Note: The web server must be configured to create this variable. For example in Apache HostnameLookups On must be set inside httpd.conf for it to exist. See also gethostbyaddr() .
‘ REMOTE_PORT ‘ The port being used on the user’s machine to communicate with the web server. ‘ REMOTE_USER ‘ The authenticated user. ‘ REDIRECT_REMOTE_USER ‘ The authenticated user if the request is internally redirected. ‘ SCRIPT_FILENAME ‘
The absolute pathname of the currently executing script.
Note:
If a script is executed with the CLI, as a relative path, such as file.php or ../file.php , $_SERVER[‘SCRIPT_FILENAME’] will contain the relative path specified by the user.
‘ SERVER_ADMIN ‘ The value given to the SERVER_ADMIN (for Apache) directive in the web server configuration file. If the script is running on a virtual host, this will be the value defined for that virtual host. ‘ SERVER_PORT ‘ The port on the server machine being used by the web server for communication. For default setups, this will be ’80’ ; using SSL, for instance, will change this to whatever your defined secure HTTP port is.
Note: Under Apache 2, UseCanonicalName = On , as well as UseCanonicalPhysicalPort = On must be set in order to get the physical (real) port, otherwise, this value can be spoofed, and it may or may not return the physical port value. It is not safe to rely on this value in security-dependent contexts.
‘ SERVER_SIGNATURE ‘ String containing the server version and virtual host name which are added to server-generated pages, if enabled. ‘ PATH_TRANSLATED ‘ Filesystem- (not document root-) based path to the current script, after the server has done any virtual-to-real mapping.
Note: Apache 2 users may use AcceptPathInfo = On inside httpd.conf to define PATH_INFO .
‘ SCRIPT_NAME ‘ Contains the current script’s path. This is useful for pages which need to point to themselves. The __FILE__ constant contains the full path and filename of the current (i.e. included) file. ‘ REQUEST_URI ‘ The URI which was given in order to access this page; for instance, ‘ /index.html ‘. ‘ PHP_AUTH_DIGEST ‘ When doing Digest HTTP authentication this variable is set to the ‘Authorization’ header sent by the client (which you should then use to make the appropriate validation). ‘ PHP_AUTH_USER ‘ When doing HTTP authentication this variable is set to the username provided by the user. ‘ PHP_AUTH_PW ‘ When doing HTTP authentication this variable is set to the password provided by the user. ‘ AUTH_TYPE ‘ When doing HTTP authentication this variable is set to the authentication type. ‘ PATH_INFO ‘ Contains any client-provided pathname information trailing the actual script filename but preceding the query string, if available. For instance, if the current script was accessed via the URI http://www.example.com/php/path_info.php/some/stuff?foo=bar , then $_SERVER[‘PATH_INFO’] would contain /some/stuff . ‘ ORIG_PATH_INFO ‘ Original version of ‘ PATH_INFO ‘ before processed by PHP.
Examples
Example #1 $_SERVER example