Using PHP_SELF in the action field of a form

In this article shows the usage of PHP_SELF variable and how to avoid PHP_SELF exploits. PHP_SELF is a variable that returns the current script being executed. This variable returns the name and path of the current file (from the root folder). You can use this variable in the action field of the FORM. There are also certain exploits that you need to be aware of. We shall discuss all these points in this article.

What is PHP_SELF variable?

As described above, this variable returns the path of current file in use. Below is the code that can display the values of PHP_SELF variable.

echo $_SERVER['PHP_SELF'];

a) Suppose your php file is located at the address:
http://www.yourserver.com/test.php
In this case the above code will give you the value : "/test.php"

b) Suppose your php file is located at the address:
http://www.yourserver.com/dir1/test.php
In this case the above code will give you the value : "/dir1/test.php"

Using the PHP_SELF variable in the action field of the form

A common use of PHP_SELF variable is in the action field of FORM.

The action field of the FORM instructs where to submit the form data when the user presses the "submit" button. Many times we need to go to the same page on submitting the form. In this case you need to include the name of the current file in the action field of your form.

however, if you provide the name of the file in the action field, in case you happened to rename the file, you need to update the action field as well. Or else your forms will stop working.

The other way is to add the PHP_SELF variable in the action field as it contains the reference of the current file. In this way you can write the more generic code which can be used on any page and you do not need to edit the action field.

Consider, you have a file called test.php and want to load the same page after the form is submitted. In this case the usual form code will be:

<FORM name="form1" method="post" action="test.php">

We can also use the PHP_SELF variable in the above code instead of "test.php". The code will be like this:

<FORM name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

Both pieces of code above, are doing the same thing. Of course, by using the PHP_SELF variable you don't need to worry about the current name of the file.

How to handle the submission of a form using the PHP_SELF variable in the action field

It will be good to write a few lines about handling the form which is loading the same page again. Suppose we have a page called test.php. Here we have a form with just a single field "name". Suppose, want to load the same page (test.php) after the form submission and want to get the value of "name" field entered by the user.

The FORM code will look like this:


	<HTML>

	<HEAD><title>Using PHP_SELF</title></HEAD>

	<BODY> 

	<FORM name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

	   Enter Your Name: <input type="text" name="name"><br>

	  <input type="submit" name="submit" value="Submit Form"><br>

	</FORM>

	</BODY>

	</HTML>

Above code is instructing to load the same page on form submission. This is done by adding the PHP_SELF variable in the action field of FORM. We have added a text field for the user to enter the name and a submit button. On hitting the submit button the same page will be loaded again.

On the reload of same page, after form submission, we want to print the name of user entered in the "name" field. This can be done by adding the following PHP code on top of the file "test.php" before the HTML tag.

<?php if(isset($_POST['submit'])) { $name = $_POST['name']; echo "User has submitted the form and entered this name : <b>" . $name . "</b>"; echo "<br>You can use the following form again to enter the new name."; } ?>

This PHP code will be above the HTML part of the file and will be executed very first. The first line of code is checking if the form is submitted or not. The name of our submit button is "submit". When the submit button is pressed the $_POST['submit'] will be set and the IF condition will become true. In this case, we are simply showing the name entered by the user. After this the form will be displayed again below. If the form is not submitted the IF condition will become FALSE as there will be no values in $_POST['submit'] and PHP code will not be executed. In this case, only the form will be shown.

The complete code of "test.php"

Here is the combined code of above described file "test.php". You can use this code to test the script.

<?php if(isset($_POST['submit'])) { $name = $_POST['name']; echo "User Has submitted the form and entered this name : <b>" . $name . "</b>"; echo "<br>You can use the following form again to enter the new name."; } ?> <HTML> <HEAD><title>Using PHP_SELF</title></HEAD> <BODY> <FORM name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> Enter Your Name: <input type="text" name="name"><br> <input type="submit" name="submit" value="Submit Form"><br> </FORM> </BODY> </HTML>

What are PHP_SELF exploits and how to avoid them

The PHP_SELF variable is used to get the name and path of the current file but it can be used by the hackers too. If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute. Suppose following code is added for our form in a file namely "test.php"

<form name="test" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

Now, if a user has entered the normal URL in the address bar like "http://www.yourdomain.com/test.php", the above code will be translated as:

<form name="test" action="test.php" method="post">

This is the normal case.

Now consider that the user has called this script by adding the following URL in the address bar:
http://www.yourdomain.com/test.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo
In this case the above FORM definition will be translated like this:

<form name="test" method="post" action="test.php"/><script>alert('xss')</script>

You can see that this code has added a script tag and an alert command. When this page will be loaded, user will see an alert saying "xss". This is just a simple example how the PHP_SELF variable can be exploited. The same type of commands could be injected in the URLs in the script where PHP_SELF variable is used.

For example, PHP_SELF can also be used in the simple anchor tags in the script to load the same page again:

<a href="<?php echo $_SERVER['PHP_SELF']; ?>?id=5">Click here<a>

A user can use the same URL as described above to execute some JavaScript code there.

As you can see that you can add any JavaScript code between the "script" tag. <script>....HERE....</script>. User can easily give the path of a JavaScript file that may be located at another server. That JavaScript file can hold the malicious code that can alter the global variables and can also submit the form to another address to capture the user data, for example. As you know, JavaScript is a feature-rich scripting language and many exploits could be done using it. Therefore there is no limit to what could be done by adding the scripting by exploiting the PHP_SELF variable.

How to Avoid the PHP_SELF exploits

It is very simple to avoid the PHP_SELF exploits. Just remember to add the "htmlentities()" function before the PHP_SELF variable. For example, the form code should be like this to avoid the PHP_SELF exploits:

<form name="test" action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post">

The htmlentities() function simply converts the user-supplied data to entities. Now if the user tries to exploit the PHP_SELF variable, the attempt will fail and the result of entering malicious code in URL will result in the following output:

<form name="test" method="post" action="test.php/"><script>alert('xss')</script><foo">

As you can see that the script part is now neutralized in the above code.

So don't forget to convert every occurence of "$_SERVER['PHP_SELF']" into "htmlentities($_SERVER['PHP_SELF'])" throughout your script.

NOTE:

Some PHP servers are configured to solve this issue and they automatically do this conversion. But you should not take a risk as many servers are still not doing this. So, you should make it your habit to use htmlentities() function with PHP_SELF to avoid any possible attacks.

PHP form processing

Using the get method in a PHP form

Using the POST method in a PHP form



Email forms
	How to get email from html form submission Email form using 'mailto' Form to email using PHP Email form with file attachment in PHP
Form mail scripts
	Form mail script selection guide Perl based form mail
Contact Forms
	PHP based email contact form Secure your HTML contact form using captcha
PHP Form
	PHP form validation script PHP form tutorial: first steps PHP form processing PHP form 'GET' PHP form 'POST' Handling checkbox in PHP form processor Handling select box in a PHP form Using PHP_SELF in the action field of a form How to submit a form using PHP Creating a registration form using PHP Making a login form using PHP Creating a multi-page order form using PHP Passing PHP form variables from one page to other


Copyright © 2008 html-form-guide.com . All rights reserved.