Risk of using $_SERVER['REQUEST_URI'] or $_SERVER['PHP_SELF'] in forms and links

Question

Is there any risk of using $_SERVER['REQUEST_URI'] or $_SERVER['PHP_SELF'] as the action in a form or as the href in a link?

If so, what can be done to alleviate the risk?

Answer 1

You make a form on www.example.com/form.php. A year from now, you forget the URL is just grabbing whatever URL the page is loaded on.

At some point let's say you've added a 'delete everything' global option in your framework as part of a completely different (slightly odd) request.

Now, somebody sends you this link: www.example.com/form.php?delete_everything=true. Since you're just grabbing that URL and setting it as the action, that is now the action on your form. Oops. XSS attacks work essentially in this way.

Always assume that your code is going to be used (even by you, and especially by hackers) in ways that you don't expect when you first write it.

How do you get round it? Hardcode the URL! You can include a function which returns the URL. In effect, this is how frameworks like Symfony or CodeIgniter solve it.