Archive for the ‘cross site scripting’ Tag

The danger of PHP_SELF

The $_SERVER[‘PHP_SELF’] or old syntax $PHP_SELF superglobal gives you the filename of the currently executing script, relative to the document root.
Often used in forms or in links.

<form action=”<? echo $_SERVER[‘PHP_SELF’]; ?>” method=”POST”>

Here you see a normal login form with the form container above.

Continue reading

Advertisements