$ _ SERVER variable and PHP use $ _ SERVER [& #39; PHP_SELF & #39;] to obtain the current page address and its security issues, _ serverphp_self

$ _ SERVER variable and PHP use $ _ SERVER ['php _ SELF '] to obtain the current page address and its security issues. _ serverphp_self
PHP $ _ SERVER ['php _ SELF ']

$ _ SERVER ['php _ SELF '] indicates the address of the current PHP file relative to the website root directory, which is related to document root.

Suppose we have the following URL. The results of $ _ SERVER ['php _ SELF '] are:

http://www.5idev.com/php/ ：/php/index.phphttp://www.5idev.com/php/index.php ：/php/index.phphttp://www.5idev.com/php/index.php?test=foo ：/php/index.phphttp://www.5idev.com/php/index.php/test/foo ：/php/index.php/test/foo

Therefore, you can use $ _ SERVER ['php _ SELF '] to conveniently obtain the address of the current page:

$url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];

Take the preceding address as an example. The result is as follows:

http://www.5idev.com/php/index.php

The above is a simple way to get the current page URL of the http protocol, but note that this address does not contain the Request Parameters in the URL (? . To obtain the complete URL address that contains the REQUEST parameters, use $ _ SERVER ['request _ URI '].

PHP $ _ SERVER ['php _ SELF '] Security

Because $ _ SERVER ['php _ SELF '] can be used to conveniently obtain the current page address, when some programmers submit form data to the current page for processing, the following method is preferred:

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

Assume that the page address is:

http://www.5idev.com/php/index.php

Access this page and the html code of the form is as follows:

<form method="post" action="/php/index.php">

This code is correct, but when the access address becomes:

http://www.5idev.com/php/index.php/test/foo

The page is normally executed, and the form html code is changed:

<form method="post" action="/php/index.php/test/foo">

Obviously, this code is not what we expect. Attackers can add attack code randomly behind the URL. To solve this problem, you can:

$phpfile = basename(__FILE__);$_SERVER['PHP_SELF'] = substr($_SERVER['PHP_SELF'], 0, strpos($_SERVER['PHP_SELF'], $phpfile)).$phpfile;