FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Good code or bad code?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Good code or bad code? [message #170201 is a reply to message #170200] Sun, 17 October 2010 23:58 Go to previous messageGo to previous message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
Senior Member
Magno wrote:

> On 10/17/2010 03:39 PM, Thomas 'PointedEars' Lahn wrote:
>> Anyhow, for an oft-cited (and thus easily found) example (here: courtesy
>> of <http://blog.oncode.info/>, slightly adapted), take this problematic,
>> but often found, `form' element:
>>
>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
>> …
>> </form>
>>
>> and this URI to trigger the PHP script containing it:
>>
>>
http://foo.example/bar/myform.php/%22%3E%3C%2Fform%3EHier%20ein%20Javascrip t%3A%20%3Cscript%20type%3D%22text%2Fjavascript%22%3Ewindow.alert('Gotcha!')%3B%3C%2Fscript%3E%3Cform%20action%3D%22%2Fcontact%2Fmyform.php
>>
>> (Yes, wrapping $_SERVER['PHP_SELF'] in htmlentities() or
>> htmlspecialchars() would help here, but $_SERVER['SCRIPT_NAME'] usually
>> does not require to be
>> wrapped in either one. Hence my recommendation.)
>
> I use to assume everyone being wise enough to not do such an idiotic
> mistakes like not filtering what you are going to print on HTML.

(Fallacies: Raising the bar / No true Scotsman)

You would be surprised how often this pattern has occurred in the past and
is occurring now, because people simply do not know this about $PHP_SELF or
$_SERVER['PHP_SELF']. STFW.

> You must ALWAYS use htmlspecialchars, when the user interaction can
> alter anything you will print in the output.

Not when, iff. In the case of $_SERVER['SCRIPT_NAME'], user interaction
cannot alter anything. That is my point that you are still missing.


PointedEars
--
Danny Goodman's books are out of date and teach practices that are
positively harmful for cross-browser scripting.
-- Richard Cornford, cljs, <cife6q$253$1$8300dec7(at)news(dot)demon(dot)co(dot)uk> (2004)
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: buffering to allow headers in code?
Next Topic: Stats comp.lang.php (last 7 days)
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 30 11:04:52 GMT 2024

Total time taken to generate the page: 0.04011 seconds