PHP - Global $php_self; Purpose?

hi all i just read an article at http://www.phpro.org/tutorials/PHP-Security.html
about not trusting server variables like $_SERVER['PHP_SELF']

so they explain, it can't be trusted and so on, but when it comes to a real life example i have difficulty understandig what someone could do with it since i assume it only has effect at client side.  they use a form and say that
Code: [Select]
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
   ...
</form>

They give as example that someone could do the following: add
Code: [Select]
<script>alert("XSS HERE");</script>
But i don't see how that would have effect to anyone except for the one that inserts that.
Could someone maybe explain this a little to me.

I saw your sig file and read one of the articles about $_SERVER['PHP_SELF'] being awful.  I admit, I've written scripts that submit the info to the same page, but I always just coded the page name directly into the action attribute.  In my noobness, I never realized you *could* use PHP_SELF.  One of the articles mentions a few fixes, including htmlentities or html special characters, but I guess my question to you is, why even bother?  Why not just set the page name in action and check for $_POST['submit'] when the page (re)loads?

I was going to send this as a PM then decided to open it up for the benefit of everyone and not bother your inbox. 

I have a bit of code that's supposed to verify the referring page.  If it's processlogin.php, then it allows access.  Otherwise, it fails.  This works:

Code: [Select]
<?php
$ref = $_SERVER['PHP_SELF']; 
if ($ref != '/processlogin.php')
header('Location: sorry1.php');
?>
However, when I try and show more data on the page, it fails on Reload.  At first I thought it was because the page is seeing itself as an invalid Referrer.  So, I added the page itself as a valid referrer, as seen below.

Code: [Select]
<?php
$ref = $_SERVER['PHP_SELF']; 
if (($ref != '/processlogin.php') || ($ref != '/atv_list.php'))
header('Location: sorry1.php');
?>
The problem is that now NOTHING works the way I think it should.  Whereas if ($ref != '/processlogin.php') worked just fine when it was by itself, now it throws the Fail state.  However, the page can now be reloaded, which doesn't make much sense to me. Next I attempted the following:

Code: [Select]
<?php
$ref = $_SERVER['PHP_SELF']; 
if ($ref != '/processlogin.php' || $ref != '/atv_list.php')
header('Location: sorry1.php');
?>
Which didn't work either.  So I thought that MAYBE it's reprocessing through processlogin.php, and the Variables in the URL were causing the problem.  So, I tried this:
<?php
$ref = $_SERVER['PHP_SELF'];
if (strstr($ref,'/processlogin.php'))
{header('Location: sorry1.php');
}
?>

And again it doesn't work.

Anyone know where I went so horribly, horribly wrong?

Hi,

I have an issue here, after user log in, it will direct them back to the url link '.admin.php', however it has directed them to this url 'http://www.123.com\/admin.php'. As you can see there is an extra backward slash, may I know what would have caused the backward slash? May I know how do I rectify it? Thanks


Code: [Select]
$home_url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . '/admin.php';
header('Location: ' . $home_url);

I have a code built in, which is in my localhost and connects to an external database. I have set my connections right, and when I try to login via the page, after pressing submit, my url changes to
localhost/<? echo $_SERVER['PHP_SELF']; ?>?action=validate

And I get this displayed.
Quote

Quote

    Access forbidden!

    You don't have permission to access the requested object. It is either read-protected or not readable by the server.

    If you think this is a server error, please contact the webmaster.



where validate is for validating. Any help?

everytime i go to login or register on my site
i get this in the URL:http://localhost/%3C?$_SERVER['PHP_SELF']?%3E

<form class="form" action="<?$_SERVER['PHP_SELF']?>" method="post">

I successfully build a form, and I have a few echo's which will echo out error messages when an input box is left empty.

The echo messages used to be on the same page while I was using PHP_SELF, now that I've separated the script from the form it will now be shown on a new empty page and the user has to use the browser's navigators to navigate back. I'd still like to keep my script from the form separated for read-ability reasons, but I'd also like to have the echo messages outputted on the same page as the form.

How can I do that?

I'm a newbie, so excuse this basic question.


P.S.
If somebody can give me a tip how to position the echo messages in the design, I'd appreciate it a lot, because it sometimes messes up the design.

This topic has been moved to JavaScript Help.

http://www.phpfreaks.com/forums/index.php?topic=326389.0

How come my$_SERVER['PHP_SELF'] echos the filename.php

I have a rewrite rule and i need it to echo

http://site.com/file/321

instead of filename.php?id=321


Help! Godaddy wont tell me why its doing that

If I have this code throughout my website...
Code: [Select]
$_SESSION['currentpage']=$_SERVER['PHP_SELF'];
I'm finding that if the URL is "mypage.php?id=1", then $_SERVER['PHP_SELF'] only returns "mypage.php" (it excludes anything appended to the end of the URL).

Is that right?  If so, how can I preserve the full URL (i.e. including the stuff after the question mark)

I have been messing with this for a few hours, and I cannot get this to work with my click. On the first example, the php runs regardless of click or not - basically when the page loads it runs... And the second, I cannot figure out how to store the while loop results in a variable to pass to the page.. I would prefer to use my first method as it's much cleaner and less code. IS this even possible? Basically I just want to run my function ONLY when the button is clicked.

<a href="" onCLick="<?php myFunction(); ?>"/>Click to run function</a>

OR

<form method="post" action="<?php $_SERVER['PHP_SELF']; ?>">
<input type="hidden" name="myFunctionRun" value=""/>
<input type="submit" value="Run Function">
</form>

I am just setting up a db to catch user info on my site. After some testing all is working except that when I use Safari, my log wrongly shows that I am using Firefox. I have been scanning the web for a solution but all workarounds I have found seem to be very out of date. Can anyone help with this? here is the code I am using:

Code: [Select]
//logs user info to db
$browser = $_SERVER['HTTP_USER_AGENT'];
$time = $_SERVER['REQUEST_TIME'];
$refer = $_SERVER['HTTP_REFERER'];
$page = $_SERVER['PHP_SELF'];
$pageQuery = $_SERVER['QUERY_STRING'];
$ip = $_SERVER['REMOTE_ADDR'];

Hi I am new to PHP and this is my first post one here so appologies is this questions seems a bit dumb!

I have an if clause such that if a button is pressed on my web page then i want to reload the page and include a new form on it.

I am having a problem getting the $_SERVER['PHP_SELF'] command to work from iside a echo command. I must not be escaping the code correctly with back slashes:

I currently have the line :

 
echo"<form method=\"POST\" action=\"\<?$_SERVER['PHP_SELF']?\>\">";


However this doesnt seem to work as my page just doesnt display in the browser.

Any advice is much appreciated.

Thanks for taking the time to read.

Hi there,

I'm trying to make my code more efficient by using <?php echo $_SERVER['PHP_SELF']; ?> ....where I've been used to having two pages with forms - one for filling out the form, and then a second page to process it / confirm, etc.

The page in question is designed to send a reminder of a user's password to their email address.

They basically put their email address into a form with one field, next to which it says:

"So...You forgot your password eh? Give us your email address and we'll send it to you."

I've got the code set up so it sends the email with the password, no problems.

However, once they've pressed submit, they can still see the message  "So...You forgot your password eh? Give us your email address and we'll send it to you"...as well as the form field and submit button.

I'd love to know what I need to do to hide these after the user has pressed submit??

Here's the code:
Code: [Select]

    <?php
if(isset($_POST['submit'])) 
{ 

 $emailaddress = $_POST['emailaddress'];
 
echo "We've sent an email to $emailaddress, reminding you of your password.";


 //MySQL Database Connect
 include 'mysql_connect_applications.php'; 

// Get all the data from the "example" table

$result = mysql_query("SELECT * FROM applications2011 WHERE emailaddress= '$emailaddress'  LIMIT 0,1 ")
or die(mysql_error());

while($row = mysql_fetch_array( $result )) {

 $password = $row['password'];
}

// keeps getting the next row until there are no more to get

//***********************Email to forgetful user code***********************

$to = "$emailaddress\n";
$subject = "C2K Application";
$headers = "From: coast2kosci@coast2kosci.com";

$message = "Hi there, 

Seems you forgot your password. Here it is:

Password:  $password

Yours in the long run,

Dave.\n";
if (preg_match(' /[\r\n,;\'"]/ ', $_POST['emailaddress'])) {
  exit('Invalid Email Address');
}
else {
mail($to,$subject,$message,$headers);
}

//***********************End of Email to applicant code***********************
   
}
?>
             
             
                <form id="form1" name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
                  <p>
                    <label>
                      So...You forgot your password eh? Give us  your email address and we'll send it to you.
                      <input type="text" name="emailaddress" id="emailaddress" />
                    </label>
                  </p>
                  <p>
                    <label>
                      <input type="submit" name="submit" id="submit" value="Submit Form" />
                    </label>
                  </p>
                </form>