问题描述

使用超级全局$_SERVER['PHP_SELF']有什么好处?

What is the benefit of using the super global $_SERVER['PHP_SELF']?

推荐答案

$_SERVER['PHP_SELF']不(也不应该)包含域名.它包括调用脚本的URL的路径部分.

$_SERVER['PHP_SELF'] doesn't (or shouldn't) include the domain name. It includes the path component of the url that the script was called from.

它的主要用途是引入跨站点脚本漏洞.

Its use is primarily to introduce cross site scripting vulnerabilities.

您可以使用它来填写表单标签的action属性:

you can use it to fill in the action attribute of a form tag:

<form method="post" action="<?=$_SERVER['PHP_SELF']?>"></form>

如果我随后通过以下方式致电您的页面:

If I then call your page with:

your-file-that-uses-php-self.php/("><script>eval-javascript-here</script>)

在parens中的所有内容都经过了urlencode编码，然后我可以将代码插入您的页面中.如果我将该链接发送给其他人，那么我正在从您的站点在他们的浏览器中执行该代码.

where everything in parens is urlencoded then I can inject the code into your page. If I send that link to somebody else, then I'm executing that code in their browser from your site.

修改:为了使其免受XSS攻击的侵害，请使用htmlspecialchars:

To make it safe against XSS attacks, use htmlspecialchars:

<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">...</form>

由于此$_SERVER变量在Internet上的示例中经常被滥用，因此请不要错过阅读您的HTML参考文献:因为URI是最短的相对URI. ，您可以将action属性保留为空:

Edit 2: As this $_SERVER variable has been misused so often out there in examples across the internets, don't miss reading your HTML reference: As that URI is the shortest possible relative URI, you can just leave the action attribute empty:

<form action="" method="post" >...</form>

这篇关于在PHP中使用超级全局`$ _SERVER ['PHP_SELF']`有什么好处?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！