The book I’m using to learn PHP is old… © 2001. It’s using commands from PHP 4.0.3.
Thus, I’m finding some of the commands and examples in the book do not work, because the command format has changed or some commands are already “deprecated.”
Example: The book say $PHP_SELF is a built-in variable but it just causes an error on my test page.
The new format is now $_SERVER[“PHP_SELF”]
Okay, thanks to Google, I now see that this variable could be dangerous if used as the action item in a form as is, or you echo it’s contents.
If a user entered in his browser http://yourdomain.com/actionform.php/%22%3E%3Cscript%3Ealert(‘hacked!’)%3C/script%3E%3Cfoo%22
Then it’s possible for the hacker to execute scripts on your webpage. NASTY.
The URL needs to be “cleaned.” One way to do this is use the PHP function htmlentities().
So our form will now be
<form name=”test” action=”<?php echo htmlentities($_SERVER[‘PHP_SELF’]); ?>” method=”post”>
I’m going to skip the book section about Built-in variables because it’s just too depracated. I need to buy a new book, or just consult PHP.NET for the correct and latest command format.