Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Risk of using $_SERVER['REQUEST_URI'] or $_SERVER['PHP_SELF'] in forms and links

Tags:

php

Is there any risk of using $_SERVER['REQUEST_URI'] or $_SERVER['PHP_SELF'] as the action in a form or as the href in a link?

If so, what can be done to alleviate the risk?

like image 640
user1032531 Avatar asked Jan 29 '13 14:01

user1032531


1 Answers

You make a form on www.example.com/form.php. A year from now, you forget the URL is just grabbing whatever URL the page is loaded on.

At some point let's say you've added a 'delete everything' global option in your framework as part of a completely different (slightly odd) request.

Now, somebody sends you this link: www.example.com/form.php?delete_everything=true. Since you're just grabbing that URL and setting it as the action, that is now the action on your form. Oops. XSS attacks work essentially in this way.

Always assume that your code is going to be used (even by you, and especially by hackers) in ways that you don't expect when you first write it.

How do you get round it? Hardcode the URL! You can include a function which returns the URL. In effect, this is how frameworks like Symfony or CodeIgniter solve it.

like image 107
Dan Blows Avatar answered Nov 03 '22 21:11

Dan Blows