Web Development | Filipino Freelance Web Masters : Filipino Web Designers and Web Application Developers, SEO, Researchers, Marketers and CMS Specialists

Archive for the ‘Web Development’ Category

PHP $_SERVER variables are not safe for use in forms, links

Wednesday, September 23rd, 2009

A common security mistake I see WordPress plugin authors (and PHP coders in general) make is using $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] as the action of a form or part of an anchor’s href attribute. This is not safe to do, and opens your code up to XSS (cross-site scripting) exploits.

Common example:

<form action="<?php echo $_SERVER['PHP_SELF']; ?>">

Another example:

<a href="<?php echo $_SERVER['PHP_SELF']' ?>?foo=bar">link title</a>

Here are my two rules regarding $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] in forms:

Do not use them
If you use one of them, escape it with esc_url()

(more…)

Rating: 2.7/5 (3 votes cast)

Rating: +1 (from 3 votes)

Share and Enjoy:

Share/Save

Tags: congratulations, CSS, launched, mod news, mod updates, w3c compliance, Web Design, website launching, xhtml
Posted in Web Applications, Web Development | 1 Comment »

Archive for the ‘Web Development’ Category

PHP $_SERVER variables are not safe for use in forms, links

Categories

Pick a Tag

Just for you

Recent Posts

Archives

Recent Comments