php 为什么使用 $_SERVER['PHP_SELF'] 而不是 ""
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14093316/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why use $_SERVER['PHP_SELF'] instead of ""
提问by robk27
In a form on a PHP page, you can use:
在 PHP 页面上的表单中,您可以使用:
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" ...>
or
或者
<form action="#" ...>
or
或者
<form action="" ...>
in the action attribute of the form. Since echo $_SERVER['PHP_SELF']does not pass variables for using GETand you have to use "", why would you use that or "#"?
在表单的 action 属性中。由于 echo$_SERVER['PHP_SELF']不传递变量以供使用GET而您必须使用"",为什么要使用那个或"#"?
I'm asking because it took me some time to figure out that the variables are not passed with $_SERVER['PHP_SELF']. Thanks.
我问是因为我花了一些时间才弄清楚变量没有通过$_SERVER['PHP_SELF']. 谢谢。
回答by Niet the Dark Absol
The actionattribute will default to the current URL. It is the most reliable and easiest way to say "submit the form to the same place it came from".
该action属性将默认为当前 URL。这是说“将表单提交到它来自的同一个地方”的最可靠和最简单的方法。
There is no reason to use $_SERVER['PHP_SELF'], and #doesn't submit the form at all (unless there is a submitevent handler attached that handles the submission).
没有理由使用$_SERVER['PHP_SELF'],并且#根本不提交表单(除非submit附加了一个处理提交的事件处理程序)。
回答by ThiefMaster
Using an empty string is perfectly fine and actually much safer than simply using $_SERVER['PHP_SELF'].
使用空字符串非常好,实际上比简单地使用$_SERVER['PHP_SELF'].
When using $_SERVER['PHP_SELF']it is very easy to inject malicious data by simply appending /<script>...after the whatever.phppart of the URL so you should not use this method and stop using any PHP tutorial that suggests it.
使用时$_SERVER['PHP_SELF'],通过简单地附加/<script>...在whatever.phpURL 部分之后很容易注入恶意数据,因此您不应使用此方法并停止使用任何建议它的 PHP 教程。
回答by Mark Eirich
When you insert ANYvariable into HTML, unless you want the browser to interpret the variable itself as HTML, it's best to use htmlspecialchars()on it. Among other things, it prevents hackers from inserting arbitrary HTML in your page.
当您将ANY变量插入 HTML 时,除非您希望浏览器将变量本身解释为 HTML,否则最好htmlspecialchars()在其上使用。除此之外,它还可以防止黑客在您的页面中插入任意 HTML。
The value of $_SERVER['PHP_SELF']is taken directly from the URL entered in the browser. Therefore if you use it without htmlspecialchars(), you're allowing hackers to directly manipulate the output of your code.
的值$_SERVER['PHP_SELF']直接取自在浏览器中输入的 URL。因此,如果您在没有 的情况下使用它htmlspecialchars(),您就允许黑客直接操纵您的代码的输出。
For example, if I e-mail you a link to http://example.com/"><script>malicious_code_here()</script><span class="and you have <form action="<?php echo $_SERVER['PHP_SELF'] ?>">, the output will be:
例如,如果我通过电子邮件将链接发送给http://example.com/"><script>malicious_code_here()</script><span class="您并且您拥有<form action="<?php echo $_SERVER['PHP_SELF'] ?>">,则输出将是:
<form action="http://example.com/"><script>malicious_code_here()</script><span class="">
My script will run, and you will be none the wiser. If you were logged in, I may have stolen your cookies, or scraped confidential info from your page.
我的脚本会运行,而你不会更聪明。如果您已登录,我可能已经窃取了您的 cookie,或者从您的页面中窃取了机密信息。
However, if you used <form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>">, the output would be:
但是,如果您使用<form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>">,则输出将是:
<form action="http://example.com/"><script>cookie_stealing_code()</script><span class="">
When you submitted the form, you'd have a weird URL, but at least my evil script did not run.
当你提交表单时,你会有一个奇怪的 URL,但至少我的邪恶脚本没有运行。
On the other hand, if you used <form action="">, then the output would be the same no matter what I added to my link. This is the option I would recommend.
另一方面,如果您使用<form action="">,那么无论我在链接中添加什么,输出都是相同的。这是我推荐的选项。
回答by Micha93
I know that the question is two years old, but it was the first result of what I am looking for. I found a good answers and I hope I can help other users.
我知道这个问题已经两年了,但这是我正在寻找的第一个结果。我找到了一个很好的答案,希望可以帮助其他用户。
I will make this brief:
我将简要介绍一下:
use the
$_SERVER["PHP_SELF"]Variable withhtmlspecialchars():`htmlspecialchars($_SERVER["PHP_SELF"]);`PHP_SELF returns the filename of the currently executing script.
- The
htmlspecialchars() function converts special characters to HTML entities. --> NO XSS
将
$_SERVER["PHP_SELF"]变量与htmlspecialchars() 一起使用:`htmlspecialchars($_SERVER["PHP_SELF"]);`PHP_SELF 返回当前正在执行的脚本的文件名。
- 在
htmlspecialchars()函数的特殊字符转换为HTML实体。--> 没有 XSS
回答by maxxon15
In addition to above answers, another way of doing it is $_SERVER['PHP_SELF']or simply using an empty string is to use __DIR__.
OR
If you're on a lower PHP version (<5.3), a more common alternative is to use dirname(__FILE__)Both returns the folder name of the file in context.
除了上述答案之外,另一种方法是$_SERVER['PHP_SELF']或者简单地使用空字符串是使用__DIR__.
或者
如果您使用的是较低的 PHP 版本 (<5.3),则更常见的替代方法是使用dirname(__FILE__)两者都在上下文中返回文件的文件夹名称。
EDIT
As Boann pointed out that this returns the on-disk location of the file. WHich you would not ideally expose as a url. In that case dirname($_SERVER['PHP_SELF'])can return the folder name of the file in context.
编辑
正如博安指出的那样,这将返回文件的磁盘位置。理想情况下,您不会将其公开为网址。在这种情况下,dirname($_SERVER['PHP_SELF'])可以在上下文中返回文件的文件夹名称。
回答by maxxon15
There is no difference. The $_SERVER['PHP_SELF'] just makes the execution time slower by like 0.000001 second.
没有区别。$_SERVER['PHP_SELF'] 只会使执行时间慢 0.000001 秒。
