3

PHP_SELF opens up a page to XSS attacks when code such as echo $_SERVER['PHP_SELF'] is included, but what about SCRIPT_NAME? Since it does not include path info, is this safe to use? I know you can use htmlentities and other similar functions to sanitize but I'd rather avoid the extra function call.

I'm quite sure that it would be safe to use but I'd like the reassurance of the SO community :)

Improve this question

1 Answer 1

Reset to default
2

As good practice, you should always protect against any variables from $_SERVER, $_GET, $_POST etc.

$str = filter_var($input, FILTER_SANITIZE_STRING);

A simple way to sanitize a string, or you can use htmlentities. I create a class that I use when returning any variables from $_SERVER, $_GET and $_POST.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.