Article one: Chris Shiflett: SERVER_NAME Versus HTTP_HOST
Article two: Sean Coates: XSS Woes
I thought both were quite insightful, though Sean’s stands-out more because PHP_SELF is used so often (be sure to check-out his phpinfo(); example at the end of the post). One method, as he explained, is to put the $_SERVER['PHP_SELF'] variable into htmlentities() so at least you aren’t potentially echoing dangerous output.
Heed Chris’s advice: treat $_SERVER variable just as you would $_GET and $_POST – all have the potential to be tainted.
Filed under: PHP, Reviews and Discussions | Leave a Comment
Search
-
You are currently browsing the iamcam weblog archives.
No Responses Yet to “Security: Don’t blindly trust $_SERVER variables”