PHP - 自我提交表单:$_SERVER['PHP_SELF'] OR action=""?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3620340/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP - Self form submission: $_SERVER['PHP_SELF'] OR action=""?
提问by MEM
I just realise that, for some weird circumstances, I was doing what I believe to be self submissions, without any reference to PHP_SELF on the action form attribute.
我只是意识到,在一些奇怪的情况下,我正在做我认为是自我提交的事情,而没有在 action 表单属性上引用 PHP_SELF。
I'm puzzled, can we either use
我很困惑,我们可以使用
<?php echo filter_var($_SERVER['PHP_SELF'], FILTER_SANITIZE_STRING); ?>
Or
或者
action=""
?
?
If not, on what circumstances should we considered one, or another?
如果不是,我们应该在什么情况下考虑一种或另一种?
Thanks in advance, MEM
提前致谢,MEM
回答by Lekensteyn
You can use either (PHP_SELF or empty string). but why would you use FILTER_SANITIZE_STRING for this? You'd better to use htmlentities()instead of filter_var in this case, if your path contains filtered characters (e.g. <), the form won't submit.
您可以使用(PHP_SELF 或空字符串)。但是为什么要为此使用 FILTER_SANITIZE_STRING 呢?在这种情况下,您最好使用htmlentities()而不是 filter_var,如果您的路径包含过滤的字符(例如<),表单将不会提交。
I prefer giving a string, <base href=>can cause trouble when using empty values.
Example:
我更喜欢给出一个字符串,<base href=>在使用空值时会引起麻烦。例子:
<form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="post">
</form>
回答by NikiC
If I'm not mistaken Safari had/has problems with the latter, therefore I dropped using it.
如果我没记错的话,Safari 对后者有/有问题,因此我放弃使用它。
回答by Jan.
Please do notuse PHP_SELF, because this can also be /index.php/"><script>alert(1)</script>/.
请不要不使用PHP_SELF,因为这也可以/index.php/"><script>alert(1)</script>/。
It's often used for XSS Attacks.
它通常用于 XSS 攻击。
Use the index SCRIPT_NAMEinstead! SCRIPT_NAME will always point to the actual PHP file and not to the user-input.
请改用索引SCRIPT_NAME!SCRIPT_NAME 将始终指向实际的 PHP 文件而不是用户输入。
Regards
问候
Edit:
编辑:
Two people point out, that SCRIPT_NAME would not work when using mod_rewrite. This is false and I think these people should read before they vote answers down.
有两个人指出,使用 mod_rewrite 时 SCRIPT_NAME 不起作用。这是错误的,我认为这些人应该在投票否决答案之前阅读。
Here's a test scenario for you ***:
这是您的测试场景***:
$ cat .htaccess
RewriteEngine On
RewriteRule testme/ /testmenot.php
$ cat testmenot.php
<? echo $_SERVER['SCRIPT_NAME']; ?>
$ GET hostname/testme/
/testmenot.php
$_SERVER['REQUEST_URI']is holding "/testme/", which i guess these people would have expected in SCRIPT_NAME. But that can also notbe found in PHP_SELF.
$_SERVER['REQUEST_URI']正在持有“/testme/”,我猜这些人会在 SCRIPT_NAME 中预料到这一点。但是,也可以不被在PHP_SELF找到。
/me crosses fingers
:E
/me 交叉手指
:E
回答by Ruchi Dubey
<?php
session_start();
$msg = '';
if (isset($_POST['login']) && !empty($_POST['username'])
&& !empty($_POST['password'])) {
if ($_POST['username'] == 'abc' &&
$_POST['password'] == 'xyz') {
$_SESSION['valid'] = true;
$_SESSION['timeout'] = time();
$_SESSION['username'] = 'abc';
?>
<script type="text/javascript">
location.href="index.php"
</script>
<?php
}
else
{
$msg ='Invalid username or password';
}
}
?>
<form
action ="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);
?>" method = "post">
<input type = "text" class = "form-control"
name = "username" placeholder = "username"
required autofocus ></br>
<input type = "password" class = "form-control"
name = "password" placeholder = "password" required>
<input class="button" type = "submit" name = "login" value="Log in"/>
