$_server variable and PHP using $_server[' php_self ' to get the current page address and its security issues

PHP $_server[' php_self ']

$_server[' Php_self ') represents the location address of the current PHP file relative to the root of the Web site, and is related to document root.

Suppose we have the following URLs, $_server[' php_self ') results are:

http://www.5idev.com/php/:/php/index.phphttp://www.5idev.com/php/index.php:/php/index.phphttp://www.5idev.com/ Php/index.php?test=foo:/php/index.phphttp://www.5idev.com/php/index.php/test/foo:/php/index.php/test/foo

Therefore, it is convenient to get the address of the current page using $_server[' php_self '):

$url = "http://". $_server[' http_host '].$_server[' php_self '];

Taking the above address as an example, the results are as follows:

http://www.5idev.com/php/index.php

Above is the simple get HTTP protocol of the current page URL, just to note that the address is not included in the URL of the requested parameters (? and subsequent strings). If you want the full URL address that contains the request parameters, use $_server[' Request_uri '].

PHP $_server[' php_self ' security

Since the current page address can be easily obtained by using $_server[' php_self ', some programmers tend to use the following method when submitting form data to the current page for processing:

<form method= "POST" action= "<?php echo $_server[' php_self '];?>" >

Assume that the page address is:

http://www.5idev.com/php/index.php

To access this page, get the form HTML code as follows:

<form method= "POST" action= "/php/index.php" >

This code is correct, but when the access address becomes:

Http://www.5idev.com/php/index.php/test/foo

The page executes properly and the form HTML code becomes:

<form method= "POST" action= "/php/index.php/test/foo" >

Obviously this code is not what we expected, and the attacker could arbitrarily add the attack code behind the URL. To resolve this issue, you can:

1. Use Htmlentities ($_server[' php_self ') instead of $_server[' php_self ') to convert potentially malicious code in the URL to HTML code for display and cannot be executed.
2. If available, use $_server[' script_name ' or $_server[' Request_uri '] instead of $_server[' php_self ']
3. Rewrite $_server[' php_self ' in public code:

$_server variable and PHP using $_server[' php_self ' to get the current page address and its security issues