$_server[' php_self '] is often used in development, commonly used to refer to the current page address, and it is the system automatically generated global variables, also have any problems? Let's look at the following code first:
<form action= "<?php echo $_server[' php_self '";?> ">
<input type= "Submit" name= "submit" value= "Submit"/>
</form>
This code is very simple, we want to use $_server[' php_self ' to submit the Web page submitted to its own, assuming the code file name is test.php, in the execution of the time will be sure to get the address we expect? First try the address http://.../test.php, the result is certainly no problem, don't worry, you visit again http://.../test.php/a=1, you will get the following client code:
<form action= "/fwolf/temp/test.php/a=1″>
<input type= "Submit" name= "submit" value= "Submit"/>
</form>
Obviously, this is beyond our expectation that the Web server does not produce errors such as 404, that the page executes properly, and that there are parts of the generated HTML code that the user can input, where the horror is. Don't underestimate that "a=1", if it is replaced by a piece of JS code, it becomes more dangerous, such as the call:
Http://.../test.php/%22%3E%3Cscript%3Ealert (' XSS ')%3c/script%3e%3cfoo
Do you see the effect of JS's alert function? Check the generated HTML source code to find out why.
allows attackers to embed the JS code in such a way that an attacker can the