Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How To Identify The Requested Page In PHP

Tags:

php

Is there any easy way to identify the file initially handling the request, ignoring get arguments and handling (at least basic) mappings like / to /index.php?

Ideally what I'm looking for is something like $_SERVER['REQUEST_URI'], except it returns the same value regardless of the get arguments and that value is the file requested, not the URI, nor the currently executing file ($_SERVER['PHP_SELF']). In other words, a $_SERVER['REQUESTED_FILE'] or something. I haven't seen anything like that. Does it exist, or do I need to write something manually?

Update Here are some example URLs paired with what I would like the result to be:

example.com/mypage.php       : /mypage.php
example.com/                 : /index.php
example.com/foo/?hello=world : /foo/index.php

And these return values are true even in included files. See my answer below before answering, I think I've found what I was looking for.

like image 875
dimo414 Avatar asked Jun 11 '09 08:06

dimo414


People also ask

How do you check if there is a post request in PHP?

Check if $_POST Exists With isset() The isset() function is a PHP built-in function that can check if a variable is set, and not NULL. Also, it works on arrays and array-key values. PHP $_POST contains array-key values, so, isset() can work on it. To check if $_POST exists, pass it as a value to the isset() function.

How can I get current page title in PHP?

php function page_title($url) { $fp = file_get_contents($url); if (! $fp) return null; $res = preg_match("/<title>(.

How can I get previous page in PHP?

Use the HTTP_REFERER Request Header to Return to the Previous Page in PHP. The HTTP_REFERER request header returns the URL of the page from where the current page was requested in PHP. The header enables the server to acknowledge the location from where the users are visiting the current page.


3 Answers

I decided to test it out myself. The $_SERVER['SCRIPT_NAME'] variable serves up the path to the requested file, even if it's an index file, and without get parameters or anything else. The PHP documentation states this contains the path of the file, but it seems to be relative to the document root, just like PHP_SELF, but without the security vulnerability.

Here is the code I used to test this: https://gist.github.com/dimo414/5484870

The output when requesting example.com/?foo=bar:

__FILE__:               /var/www/index.php
PHP_SELF:               /index.php
SCRIPT_NAME:            /index.php
REQUEST_URI:            /?foo=bar
parse_url(REQUEST_URI): /


__FILE__:               /var/www/pathtest.php
PHP_SELF:               /index.php
SCRIPT_NAME:            /index.php
REQUEST_URI:            /?foo=bar
parse_url(REQUEST_URI): /

And the output when requesting example.com/index.php/<strong>XSS</strong>:

__FILE__:               /var/www/index.php
PHP_SELF:               /index.php/XSS # note the XSS exploit (this is bold in browser)
SCRIPT_NAME:            /index.php     # No exploit here
REQUEST_URI:            /index.php/%3Cstrong%3EXSS%3C/strong%3E
parse_url(REQUEST_URI): /index.php/%3Cstrong%3EXSS%3C/strong%3E


__FILE__:               /var/www/pathtest.php
PHP_SELF:               /index.php/XSS
SCRIPT_NAME:            /index.php
REQUEST_URI:            /index.php/%3Cstrong%3EXSS%3C/strong%3E
parse_url(REQUEST_URI): /index.php/%3Cstrong%3EXSS%3C/strong%3E

As you can see, $_SERVER['SCRIPT_NAME'] always gives back the file that originally handled the request, i.e. the file in the URL, without any XSS risks.

like image 67
dimo414 Avatar answered Oct 31 '22 08:10

dimo414


$_SERVER['PHP_SELF']

Should return the actual script. But there are various methods.

I had a better link to a matrix of all the various file-related environment variables but I can't find it. I'll edit if it turns up.

Edit: I found a nice SO thread that details the differences between them.

like image 25
Oli Avatar answered Oct 31 '22 08:10

Oli


Go get file name from the requested URL use following code.

basename($_SERVER['URL']);
basename($_SERVER['REQUEST_URI']);
basename($_SERVER['SCRIPT_NAME']);
basename($_SERVER['SCRIPT_FILENAME']);
basename($_SERVER['REQUEST_URI']);
basename($_SERVER['PATH_TRANSLATED']);
basename($_SERVER['PHP_SELF']);

use any one all all of those in the nested if condition so you will not miss file name any how.

like image 21
Somnath Avatar answered Oct 31 '22 07:10

Somnath