hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : Difference between 2 Secure form codes?
Reply

Forum Jump

Difference between 2 Secure form codes?

Reply Post New Thread In Programming Discussion Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 12-13-2009, 08:22 AM
ryan14 ryan14 is offline
Web Hosting Guru
 
Join Date: Mar 2006
Posts: 264
Question

Difference between 2 Secure form codes?


I have a php form and each of these codes work for the action part of the form:

action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>"

<form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>"

The difference is at the Start of the form and near the end of the form. Both codes allow me to submit the form.

Which is correct and more secure?

P.S
The htmlspecialchars is ment to protect me from some kind of XSS attack.



Sponsored Links
  #2  
Old 12-13-2009, 08:57 AM
Btcc22 Btcc22 is offline
Junior Guru
 
Join Date: Sep 2008
Posts: 191
The first isn't valid HTML and the PHP isn't finished with a semicolon, strictly speaking.

Go with the second, although I should point out that htmlspecialchars isn't complete protection.


Last edited by Btcc22; 12-13-2009 at 09:00 AM.
  #3  
Old 12-13-2009, 01:27 PM
TonyB TonyB is offline
Corporate Member
 
Join Date: Aug 2004
Location: Canada
Posts: 3,312
I don't believe it matters where you put the <form action="..."> portion. You could do <form method="post" action="..."> or <form action="..." method="post">


Also by the way I don't believe the htmlspecialchars is necessary for the PHP_SELF. That's populated by PHP it's where the script execution came from previously. I'd compare that to doing it on $_SERVER[SERVER_NAME] which is just the server name. Unless I'm mistaken

__________________
Tony B. - Chief Executive Officer
Hawk Host Inc. Proudly serving websites since 2004
Quality Shared and VPS Hosting
PHP 5.3.x & PHP 5.4.x & PHP 5.5.X Support!

Sponsored Links
  #4  
Old 12-13-2009, 09:14 PM
ryan14 ryan14 is offline
Web Hosting Guru
 
Join Date: Mar 2006
Posts: 264
Ok can someone tell me if this Form is valid PHP and valid HTML and secure:

Quote:
<form id="form1" name="form1" method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>"
<table>
<tr>
<td>User : </td>
<td><input name="username" type="text" id="username" /></td>
</tr>
<tr>
<td>Password : </td>
<td><input name="password" type="password" id="password" /></td>
</tr>
</table>
<input name="Login" type="submit" id="Login" value="Login" />
</form>
If it's not, can you improve it for me and tell me what changes you made?

  #5  
Old 12-13-2009, 09:22 PM
Btcc22 Btcc22 is offline
Junior Guru
 
Join Date: Sep 2008
Posts: 191
Hi,

As I said in my previous post, htmlspecialchars won't fully cover you, but I guess it's a moot point since as TonyB pointed out, there isn't really any reason to be using it on PHP_SELF since it's not user input.

The form will work fine though, yes.

  #6  
Old 12-14-2009, 12:55 PM
mattle mattle is offline
Web Hosting Master
 
Join Date: May 2009
Posts: 766
Quote:
Originally Posted by Btcc22 View Post
htmlspecialchars won't fully cover you
Against what, exactly? That's the second time you've mentioned this, but you've never stated what you feel is the deficiency in the htmlspecialchars() function...

@ryan14

Quote:
Originally Posted by ryan14
<form id="form1" name="form1" method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>"
Check it out...you're missing the closing '>' for your form tag.
PHP Code:
<form id="form1" name="form1" method="post"
      action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>">

  #7  
Old 12-14-2009, 03:59 PM
Btcc22 Btcc22 is offline
Junior Guru
 
Join Date: Sep 2008
Posts: 191
Quote:
Originally Posted by mattle View Post
Against what, exactly? That's the second time you've mentioned this, but you've never stated what you feel is the deficiency in the htmlspecialchars() function...
I was pointing out that htmlspecialchars() isn't a fool proof way of protecting against (UTF 7) XSS attacks, since he mentioned them. I don't know anything about his charset though.


Last edited by Btcc22; 12-14-2009 at 04:03 PM.
  #8  
Old 12-15-2009, 09:40 AM
mattle mattle is offline
Web Hosting Master
 
Join Date: May 2009
Posts: 766
Quote:
Originally Posted by Btcc22 View Post
I was pointing out that htmlspecialchars() isn't a fool proof way of protecting against (UTF 7) XSS attacks, since he mentioned them. I don't know anything about his charset though.
Gotcha...overlooked the OP's postscript initially...

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure Order Form The Stealthy One Ecommerce Hosting & Discussion 15 10-13-2005 10:51 PM
Secure Form Stewart Ecommerce Hosting & Discussion 8 03-30-2004 08:30 PM
I need a secure order form Abaddon Running a Web Hosting Business 10 09-08-2002 12:38 AM
looking for a secure order form D Web Hosting 20 08-16-2000 06:56 PM

Related posts from TheWhir.com
Title Type Date Posted
Web Hosting Sales and Promos Roundup - April 4, 2014 Web Hosting News 2014-04-04 13:04:58
Web Hosting Sales and Promos Roundup - November 29, 2013 Web Hosting News 2013-11-29 11:39:00
Web Hosting Coupon Codes - Building New Business with Discounts Web Hosting News 2012-12-11 10:01:43
Lead Generation Part 1 – Form Fills Blog 2012-11-16 09:03:48
Cloud Provider FiberCloud Offers Virtual Firewall Protection Web Hosting News 2012-05-08 12:15:24


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?