Why PHP_SELF Should Be Avoided When Creating Website Links
When looking for articles about PHP_SELF, it seems like most only refer to the dangers of using the variable with HTML forms. However, there are risks with using it in other parts of a website. For example, it may be tempting to use the variable within the href attribute for links. The problem is that those links become susceptible to Cross-Site Scripting (XSS). Let's take a closer look at the security vulnerability of PHP_SELF and a simple alternative to avoid the problem altogether.
Purpose of PHP_SELF
For those unfamiliar, PHP_SELF is a server variable typically used in PHP scripts to link one page to itself. For example, a page may initially display a list of products with links for viewing more information about each item. If a link is clicked, an ID is passed to the same page for displaying the product details.
The Problem
As shown in the video, using PHP_SELF for links isn't recommended due to being vulnerable to Cross-Site Scripting (XSS). For example, let's say our page (http://www.example.com/products.php) utilizes the server variable. We can visit the page with Firefox and start injecting code. Note that some browsers, like Internet Explorer, block XSS activity.
If our anchor tag looks like
<a href="<?php print $_SERVER['PHP_SELF']; ?>?view=1">View More Info</a>
We can hack the URL by
- Adding a forward slash ("/") to make Firefox think there's another folder
- Typing a double quote to close the href attribute
- Creating an onmouseover event to redirect visitors somewhere else
The new URL looks like
http://www.example.com/products.php/" onmouseover="window.location="http://www.google.com/"'
On the surface, the link shouldn't look any different. But the source code, on the other hand, shows that the onmouseover event is now part of the link (see Figure 1).
Figure 1. Source Code Showing the Event Trigger
Alternate Solution
Instead of using PHP_SELF for links, it's just as easy to use the page's file name instead. Since our script was named "products.php", the anchor tag would be changed to
<a href="products.php?view=1">View More Info</a>
Conclusion
Although PHP_SELF seems like a useful option when creating links that lead to the same page, the security risk involved with the variable isn't worth it—especially when the alternative is so simple.
9 Comments
@Stefan – I imagine that it depends on how the variables are used. Do you use the full value from PHP_SELF…or do you extract a portion of the value?
Is there a way you can check PHP_SELF to make sure it can only contain a valid value? For example, are all the possible variable names defined somewhere? If so, you could check that the concatenated variable (the one created with PHP_SELF) exists before using it.
Thank you for a helpful and interesting article, but I have a question. Are there any security risks involved in using PHP_SELF aside from those mentioned? I use it to concatenate variables in order to generate a URL for a file to be loaded. Does this pose any security risks?
@Conal – That is correct.
Interesting article.
So, if I understand this right instead of saying $_SERVER['PHP_SELF'] I can simply type thisisthesamefile.php and it won't have the same XSS vulnerabilities?
Or use the following:
$php_self = filter_var($_SERVER['PHP_SELF'], FILTER_SANITIZE_STRING);
Awesome, I appreciate the feedback. “@MichaelPierre: Np. I used PHP_SELF in some code snippets recently. Your post was helpful.â€
Comment from @MichaelPierre via Twitter:
"@pnichman: @MichaelPierre – Thanks for the RT by the way." (Np. I used PHP_SELF in some code snippets recently. Your post was helpful.)
@john_j_owens – I would love to hear what you find out. Good luck.
Comment from @john_j_owens via Twitter:
@pnichman I used PHP_SELF when I was developing in CodeIgniter. It was to help me find paths for CSS and script files. Needs a review!
Leave a Comment