[nycphp-talk] $_SERVER['PHP_SELF'} not working?
csnyder
chsnyder at gmail.com
Thu Jul 21 11:55:19 EDT 2005
On 7/21/05, Daniel Convissor <danielc at analysisandsolutions.com> wrote:
> Anyway, using PHP_SELF for the action is supurfluous, since all it does is
> name itself the default action of a form is submitting to itself in the first place.
Except that if you call the script with a URI that includes embedded
quotes, you can break the form and add abritrary HTML to the page.
<form action="<?=$_SERVER['PHP_SELF']?>" method="post"> when called
with a url like:
index.php/%22%3E%3C%2Fform%3EMy%20HTML%20Here
Becomes:
<form action=""></form>My HTML Here" method="post">
More information about the talk
mailing list