[adn258]

So I've been using just anothe script page for a form submit action in php action="yadayadapage.php" While using the PHP_Self idea it appears that that saves room in the sense of you don't need another php/page/script but I've been reading online that it can be very dangerous. Should this be used or should I continue with using another php script page in a form action like I have been and I'm fine doing? What the the advantages of using one over the other besides the obvious PHP_SELF technically saves you a script?

[JackOfAllTrades]

Really should try searching the Internet first.

https://phpsecurity....er-of-php_self/

[adn258]

JackOfAllTrades, on 04 September 2012 - 02:12 PM, said:

Really should try searching the Internet first.

https://phpsecurity....er-of-php_self/

I read sites that talk about it being dangerous but I didn't know about the htmlentities function so thank you

[Duckington]

I've never understood why that was even needed, maybe i'm being obtuse but if you want to send the form to the same page, simply leaving the action blank <form action='' method='post'> has always worked for me.

[adn258]

Duckington, on 05 September 2012 - 02:58 AM, said:

I've never understood why that was even needed, maybe i'm being obtuse but if you want to send the form to the same page, simply leaving the action blank <form action='' method='post'> has always worked for me.

That does work what do people think of using this instead here?

[Dormilich]

at least better than omitting the action attribute altogether.

on the other hand side, I would not do the form processing on the same page except when I use a Front Controller (and in that case I know the URL anyways).

[Atli]

The main problem I've always had with leaving it empty is this quote from the standard docs:

Quote

User agent behavior for a value other than an HTTP URI is undefined.

While it does appear that all the browsers actually submit to the same page when it's left empty, I'm still never quite comfortable doing it.


In any case, I've never seen the point of using either of those. With the exception of form processing in frameworks like Symfony, where you use a helper function to generate the correct path, there's never been any situation where typing out the action path has proved to be a problem. Even when using form templates that are used on several pages, including an easy way to set the action is trivial.

[programmermja]

This should work perfectly without any error and it secure.
See attached file to download this code, it just 1.94kb.

<html>
<head>
<title>PHP_SELF resolved</title>
</head>
<?php
$message= '';
$error= '';
 $link=mysql_connect('localhost', 'root','');
if( ! mysql_select_db('database_name',$link)){
	$error=1;
}
if(isset($_POST['first_name'])){

	$first_name=mysql_escape_string($_POST['first_name']);
	$last_name=mysql_escape_string($_POST['last_name']);
	mysql_query("insert into users (first_name, last_name) values ('$first_name', '$last_name')"); //Where users is the table name.	
	$message= "<font color='#FF0000'>Record Updated</font>";
}
?>
<body>
<table align="center" width="100%" height="300">
        <tr>
          <td valign="middle"> <form name="user_detail" action="<?php echo $_PHPSELF ?>" method="post">
              <table width="26%" align="center" cellspacing="4">
                <tr>
                  <td colspan="2" align="center"><h3>ENTER USER DETAILS</h3></td>
                </tr>
                <? if($message != ''){
?>
                <tr>
                  <td colspan="2" align="center"><strong>
                    <?=$message ?>
                    </strong></td>
                </tr>
                <?

}?>
                <tr>
                  <td width="150">First Name</td>
                  <td><input type="text" name="first_name" value="<?=$_POST['first_name'] ?>"></td>
                </tr>
                <tr>
                  <td>Last Name</td>
                  <td><input type="text" name="last_name" value="<?=$_POST['last_name'] ?>"></td>
                </tr>
                <tr>
                  <td colspan="2" align="center">
				  <? if ($error !=1) {?>
				  <input name="submit" type="submit" value="Submit Details">
				  <?} else echo "<font color='#FF0000'>Database not found, Please set your database!</font>";
				  ?>
				  </td>
                </tr>
              </table>
            </form></td>
        </tr>
      </table>

</body>
</html>

Attached File(s)

•  php_self.php (1.94K)
  Number of downloads: 28

[CTphpnwb]

Secure? It's better (more secure) to use prepared statements because mysql_escape_string() can be beaten.

[Atli]

programmermja, on 11 September 2012 - 11:54 PM, said:

This should work perfectly ...

Bold claim.

On the PHP side, I'd argue that connecting to MySQL on every request, even when the connection isn't actually used, is far from perfect. You also just make sure the "first_name" is set before inserting the values into MySQL. You don't do any sort of validation aside from that, not even making sure "last_name" exists.

As for the HTML:

• You're missing the Doctype Declaration, which should be the first line of all HTML documents.
  
• You are using a <table> for your layout, which has been a discouraged method for about a decade now.
  
• You at one point use the <font> tag, which even more so than table layouts has been completely abandoned in favour of CSS.
  
• You left out the "Content-Type" meta-tag specifying the charset. (Which is not technically required, but still should be included.)

programmermja, on 11 September 2012 - 11:54 PM, said:

... without any error ...

The $_PHPSELF variable you use in the form's action attribute is neither defined by PHP, nor do you define it, so it will not actually print anything. Assuming PHP's error display is turned off, it effectively leaves the action attribute empty. (Did you mean to use $PHP_SELF? That was defined by PHP in early versions of PHP4 and PHP3, I believe. It hasn't been used for ages though.)

When PHP's error display is turned on, however, it will print a "Undefined Index" warning, and completely mess up the form. The same is also true for the two input value fields, where you try to print the $_POST values they would set, regardless of whether they actually have been set.

Also, in several places there you are using the short-hand PHP block tags, <? ... ?> and <?= ... ?>, which will require the short_open_tag directive to be enabled in the PHP config. (With the exception of <?= ... ?> on PHP 5.4+, where it's always enabled.) - On servers where those are disabled, your code won't even execute.

programmermja, on 11 September 2012 - 11:54 PM, said:

... and it secure.

As well as the point made by CTphpnwb, I'd also point out that printing any user input into the HTML is insecure without escaping it first. You should be running the POST values you use in the input value attributes though htmlentities(), or at least htmlspecialchars().

[adn258]

I'm still concerned about something and thanks for the help guys. First thing is why do you need to use the htmlentities function when a .php posts to itself but NOT when use use another php script file for the action?

Second there are many times I echo out values within html parts of my page like you know from a database or even at times I have echoed out html code like

<?php echo <br /> blah blah some html stuff and text <br /> ?>

Does echoed html for it to be secure need to have the htmlentities function used on it? Why or why not? Thanks guys

[Atli]

The htmlentities() function converts all characters in the input string that have matching HTML entities into those entities. You should, at least, use it on all external values that you are planing to echo into a HTML page. That includes all user input, database fields and things like the $_SERVER array. It doesn't matter in which PHP page it is.

[dallbee]

Adn258,

As was previously mentioned, you're best off simply not using an action field at all. All browsers (even internet explorer 3, and probably before that) will default to using the current page that the form is being viewed on.

Quote

First thing is why do you need to use the htmlentities function when a .php posts to itself but NOT when use use another php script file for the action?

A php file cannot 'post to itself'. What happens is that the form in your .php file is telling your browser to store the data in its header until after the next page load. Because the data gets stored in the browser, it is easily modified before the page load goes through. Anything that can be modified on the user end needs to be treated in a secure manner.

If you'd like to learn more, look into http://net.tutsplus....th-php-filters/ as a starting point, and after that google is your friend.

Quote

Does echoed html for it to be secure need to have the htmlentities function used on it? Why or why not? Thanks guys

Possibly/Sort of. You're alluding to output encoding, which is the idea of making sure that your website is producing what you want it to produce, instead of someone else's injected code. You should consider this any time you echo out a variable that was defined in some way by user input. htmlentities() won't really help you there, but htmlspecialchars() will.

I hope some of that was helpful.

[Atli]

Quote

As was previously mentioned, you're best off simply not using an action field at all.

As far as I can see, nobody actually mentioned that. In any case, if they did, they would be wrong. The action attribute is a required attribute for the form element. It should always be used. As for the value of it, whether or not that can be left empty can be debated. As far as I am concerned, leaving empty has a sort of lazy feel to it, but that's just me.

Quote

A php file cannot 'post to itself'. What happens is that the form in your .php file is telling your browser to store the data in its header until after the next page load.

That's not how it works. If the data is stored in the browser, how do you suppose PHP would be able to access it, on the server?

What does happen, regardless of where the form is sending the data, is that the browser creates a HTTP request into which it puts the form data. That request is then sent to the server where PHP takes it and processes it. Once the request is sent, the browser does not store the data. (Unless maybe for extra features like those annoying form auto-complete things.)

Quote

htmlentities() won't really help you there, but htmlspecialchars() will

Actually, the two functions are identical, except htmlentities encodes all HTML entities, whereas htmldpecialchars only encodes a limited set of them.

To quote the manual entry for htmlentities:

Quote

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

[adn258]

Okay sorry guys...I'm still a little confused and I apologized...well okay a lot confused. I get the idea of using htmlentities if you are having a user submit something which goes into a database and if it's echoed onto a page could contain malicious code etc. but there are times when I have something in a database that a user did NOT just submit and I echo it out knowing there's no malicious code.

Correct me if I'm wrong but there's no way that the end user even knows that PHP echoed out the html or if the html was typed. For Instance. Let's say in a database MYSQL that there's a statement as follows <b>Hi Everyone</b>

There's html included in that for bold. Then let's say you grab that using a query statement from Mysqli or PDO or mysql (I'm not going to write that. Then let's say you store it in a variable called hi and echo that out

echo $hi;

It would show a bold "Hi Everyone". I'm not understanding WHY this is a security risk of any sort? I'm sorry I'm someone that has to understand something before I can fix it. Thanks guys