php 5.2.4 & 5.2.5 PHP_SELF wrong??

marc2003 · 16 Nov 2007 at 12:25

anybody running either of these, can you check the value of

$_SERVER['PHP_SELF']

on my server at home, it's duplicating the page so instead of

/blah.php

it's showing

/blah.php/blah.php

:confused:

gone back to 5.2.3 and it's fine - i even tried the default php.ini in case it was a problem with me copying my old one - it's still not right?????

(windows version btw)

Dj_Jestar · 16 Nov 2007 at 12:29

It's worth noting that PHP_SELF is dangerous to use, anyway. It can be tainted by the user.

Markus123 · 16 Nov 2007 at 12:30

Yeah, it's a known bug but has supposedly been fixed now:

http://bugs.php.net/bug.php?id=42523

Moredhel · 16 Nov 2007 at 12:39

Dj_Jestar said:
It's worth noting that PHP_SELF is dangerous to use, anyway. It can be tainted by the user.

It's fine if you treat it like any user supplied value, encode it before outputting and escape it before inserting it into a database.

marc2003 · 16 Nov 2007 at 12:46

Dj_Jestar said:
It's worth noting that PHP_SELF is dangerous to use, anyway. It can be tainted by the user.

i'm only using it to build a tabbed menu. i have an array of all pages which i loop through and if the current value matches PHP_SELF, the output is slightly different. hopefully i don't have anything to worry about.

Markus123 said:
Yeah, it's a known bug but has supposedly been fixed now:

http://bugs.php.net/bug.php?id=42523

thanks for that. but it does say 5.2.4 - i would have thought 5.2.5 would be fixed??? :confused:

thanks for the replies everyone.

Dj_Jestar · 16 Nov 2007 at 12:49

Moredhel said:
It's fine if you treat it like any user supplied value, encode it before outputting and escape it before inserting it into a database.

Unfortunately it can still be difficult to handle. Easier to just substr the docroot from the path of the current file, or just use script_path.

marc2003 · 16 Nov 2007 at 13:25

marc2003 said:
i would have thought 5.2.5 would be fixed???

my mistake - it is fixed. i had to change a setting on my webserver.

i use abyss webserver and this is what they say - apparently it's php's fault....

The PHP developers have confirmed that starting 5.2.4, they are fully conforming to the CGI specification. So there is no more need to use the "PHP Style" type which was designed by us as a workaround to make earlier versions of PHP run in a pseudo-CGI conformant mode.

So from now on, PHP on Abyss Web Server will use the "Standard" type.