PHP Introductory "one" $_server

These days to a colleague to write PHP program, began to learn PHP, basic Grammar Needless to say that the language is basically the same, only if the type and strong type of difference (declaring data type)

Make a note of the feeling that you see now.

$_server['php_self'] Returns the file name of the current execution script. $_server['Gateway_interface'] Returns the version of the CGI specification used by the server. $_server['server_addr'] Returns the IP address of the server where the script is currently running. $_server['server_name'] Returns the host name (such as www.w3school.com.cn) of the server on which the script is currently running. $_server['Server_software'] Returns the server identity string (for example, apache/2.2. -). $_server['Server_protocol'] Returns the name and version of the communication protocol when the page is requested (for example, "http/1.0"). $_server['Request_method'] Returns the request method used by the access page (for example, POST). $_server['Request_time'] Returns the timestamp at the start of the request (for example,1577687494). $_server['query_string'] To return the query string, if this page is accessed through a query string. $_server['http_accept'] Returns the request header from the current request. $_server['Http_accept_charset'] Returns the Accept_charset header from the current request (for example, utf-8, iso-8859-1) $_server['Http_host'] Returns the Host header from the current request. $_server['Http_referer'] Returns the full URL of the current page (unreliable, because not all user agents are supported). $_server['HTTPS'] Whether the script is queried through the secure HTTP protocol. $_server['REMOTE_ADDR'] Returns the IP address of the user who browsed the current page. $_server['Remote_host'] Returns the host name of the user who browsed the current page. $_server['Remote_port'] Returns the port number used to connect to the WEB server on the user's machine. $_server['Script_filename'] Returns the absolute path of the current execution script. $_server['Server_admin'] This value indicates the Server_admin parameter in the Apache server configuration file. $_server['Server_port'] The port used by the WEB server. The default value is " the". $_server['server_signature'] Returns the server version and the virtual host name. $_server['path_translated'] The base path of the file system (not the document root) where the current script resides. $_server['Script_name'] Returns the path to the current script. $_server['Script_uri'] Returns the URI of the current page.

It is easy for attackers to cause reflective XSS when using $_server["Php_self".

<form method="post" action="<?php echo $_server["php_ Self"];? >">

Normal will translate to:

<form method="post" action="test_form.php" >

The hacker enters in the URL:

http://Www.example.com/test_form.php/%22%3E%3Cscript%3Ealert (' hacked ')%3c/script%3e

This way, PHP acquisition will become:

<form method="post" action="test_form.php"/>< Script>alert ('hacked') </script>

Workaround:

Use

Htmlspecialchars ()

What is the Htmlspecialchars () function?
The Htmlspecialchars () function converts special characters to HTML entities. This means that HTML characters such as < and > are replaced with &lt; and &gt;. This prevents attackers from exploiting the code by injecting HTML or JavaScript code (cross-site scripting attacks) into the form.

When the user submits the form, there are two things we need to do:

1. (via the PHP trim () function) removes unnecessary characters from user input data (extra spaces, tabs, line breaks)
2. Remove backslash (\) from user input data (via PHP stripslashes () function)

PHP Introductory "one" $_server