[PHP] $_SERVER['PHP_SELF'] Validation

[Xiao]

First: why would I want to validate PHP_SELF?

It's a server side value, so how could it be a security issue?
Wrong! It can be altered by the user for XSS (Cross Side Scripting).
A lot of people don't know this and would use this for example:

PHP Code:

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
  <!-- My Form -->
</form> 


An experienced hacker could abuse that and could enter this for example:
http://www.yoursite.com/form.php/%22%3E%3Cscript%3Ealert(’XSS attack!’)%3C/script%3E%3Cbr

In your script, that would like this:

PHP Code:

<form method="post" action="http://www.mysite.com/form.php/">
<script>alert('XSS attack!')</script><br>
  <!-- My Form -->
</form> 


Ofcourse, this example is harmless, but I'm sure you can think of many ways a hacker could use more harmfull input.

What can I do about it?

There are quite some articles about this on the internet, but they rarely give a solution, or say how you can validate PHP_SELF.
Well, here's a way:

PHP Code:

//Get the name of the file (form.php)
$phpself = basename(__FILE__);
//Get everything from start of PHP_SELF to where $phpself begins
//Cut that part out, and place $phpself after it
$_SERVER['PHP_SELF'] = substr($_SERVER['PHP_SELF'], 0, strpos($_SERVER['PHP_SELF'],
$phpself)) . $phpself;
//You've got a clean PHP_SELF again (y)