header location: $_SERVER["PHP_SELF"] security vulnerability
I thought I would share this section of code I found in the Zend Framework. It truncates PHP_SELF at the first embedded new line in order to prevent unwanted code being inserted into the headers.
// Carefully construct this value to avoid application security problems.
$php_self = htmlentities(substr($_SERVER[‘PHP_SELF’], 0, strcspn($_SERVER[‘PHP_SELF’], "\n\r")), ENT_QUOTES);header(‘Location: ‘ . $php_self);
The long and short of it is that if you include ANY unfiltered, unclean variables when you construct your header, you’ve opened a security hole.
Cleaning user supplied variables part of the basics. I just haven’t been all that careful with the use of PHP_SELF before now.
To quote the Zend Documentation "The treatment of the $php_self variable in the example above is a general security guideline [..] You should always filter content you output to http headers."
Just thought I would share…
Finding large files on a Linux server
Fixing mysqldump: Got error: 1016: Can’t open file & mysqldump: Got error: 23
Akismet where are you????
About Author
heloo..im really zero-level in the knowledge of coding…even i dont understand what tags in coding system do mean. so when seeing this thing i do get excited to know..please tell me what this code for..? anybody willing to help me with this must worth of appreciation…thanx