1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 1:18 am May 21, 2026

Forum Moderators: coopster

Message Too Old, No Replies

$ SERVER['PHP SELF'] unsafe?

         

FromBelgium

9:05 am on Feb 1, 2015 (gmt 0)

10+ Year Member



I use below function to get the filename:

$menu=basename($_SERVER['PHP_SELF'], '.php');

For example with www.domain.com/example.php it returns value “example”.

However if some enters www.domain.com/example.php/somethingelse/ then it returns value “somethingselse” and not “example”. So $menu can get any value. Can this be used to hack a site?

penders

11:37 am on Feb 1, 2015 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Can this be used to hack a site?


It depends what you are doing with it and to some extent the server config. It's basically user input, so the same validation applies.

If you are just using $menu to highlight a menu item then it might just be a visual disturbance. (But one which could be shared publicly.)

omoutop

8:12 am on Feb 4, 2015 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



simple echoing $_SERVER['PHP_SELF'], is vulnerable to XSS attacks. You can find many references for this if you google it.
Best approach is to echo htmlspecialchars($_SERVER['PHP_SELF']);, just to be on the safe side.

lucy24

7:25 pm on Feb 4, 2015 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



However if some enters www.domain.com/example.php/somethingelse/ then it returns value “somethingselse” and not “example”. So $menu can get any value. Can this be used to hack a site?

Did you mean, if someone enters this spurious URL in their address bar, taking advantage of path-info defaults?

It may be safer to address this from the other side: don't let the site accept URLs with more stuff (other than a query string, duh) after the filename extension. Either block or redirect, depending on circumstances and preference.

yasar

2:36 pm on Mar 19, 2015 (gmt 0)

10+ Year Member



ya correct some time its make a way to hack just you entered the file name for example test.php

default password

5:51 am on Apr 29, 2015 (gmt 0)

10+ Year Member



You need to make note of all these:

$_SERVER["SCRIPT_NAME"]
$_SERVER["PATH_INFO"]
$_SERVER["PATH_TRANSLATED"]
$_SERVER["PHP_SELF"]

in your code. Use various URLs in a test script with var_dump($_SERVER);.

P.S. I have never seen/heard of any "hacking" of a site by adding "/text" on a URL.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 1:18 am May 21, 2026