Basic form security

Question

Well, I'm starting to learn PHP. So on a tutorial the author cites the action="<?php echo $_SERVER["PHP_SELF"];?>" Well, for me, It's the same thing that a write: action="" and less dangerous. 1 - Is not?

And, easily I can note if the user add on the adress bar something like this: %22%3E%3Cscript%3Ealert('showing a msg on the website')%3C/script%3E he will closes the <form> and will add in the source a JS alert... But, the unique person will see this is himself 2 - Or not?

How can the person show this message for all visitors ?

Thank you!

Answer 1

Answering your first question, action="" is preferred over action="<?=$_SERVER['PHP_SELF']?>" - it's basically the same thing, and actions will default to self if not specified. That's standard practice.

Your second question, it really depends what you're doing with the query string. If you are using something like an ID or a page name, firstly you will (of course) be escaping and decoding your URL variables using functions like urldecode(), strip_tags() etc, so you shouldn't have to worry about that.

On the off chance that somebody manages to get past your sanitizing, a script like that will only display on their screen. However, if somebody's worked out that they can get past your sub-par security, they won't just be alerting a message to their screen...

Long and short is:

• use a blank action to aim forms at itself
• use a header redirect once you've processed that form back to itself again to avoid the "Are you sure you wish to re-send form data?" message and/or duplicate data processing
• escape your query string variables properly so you don't have to worry about any of this

Cross Site Scripting (XSS) is a topic you should familiarize yourself with. Thankfully PHP has many inbuilt functions that help you on your way to a safe web application. Here are some links for further reading:

• http://en.wikipedia.org/wiki/Cross-site_scripting
• http://www.veracode.com/security/xss