PHP Form - Undefined constant ’PHP_SELF’

Asked 13/2, 2012 at 14:50 Answered 13/2, 2012 at 14:58

I have a contact form, it works fine when hosted on my server, but when I uploaded it to my clients server I ran into problems. Please check out the page here: http://www.conceptonegfx.com/contact.php

I get the following errors at the top of the form

Notice: Use of undefined constant ’PHP_SELF’ - assumed '’PHP_SELF’' in E:\Domains\c\conceptonegfx.com\user\htdocs\fns.php on line 42

Notice: Undefined index: ’PHP_SELF’ in E:\Domains\c\conceptonegfx.com\user\htdocs\fns.php on line 42" id="uploadform" enctype="multipart/form-data">

Here are the problem lines on fns.php:

 <?php
//start session
 if(!isset($_SESSION)) 
 { 
 session_start(); 
 }  


  // prints form
   function print_form(){
   ?>


<form method="post" class="action="<?php echo $_SERVER[’PHP_SELF’];?>" id="uploadform" enctype="multipart/form-data">
<p><label for="namefrom">Name <span class="required">*</span></label>
<input name="namefrom" id="namefrom" type="text" class="field" value="<?= $_SESSION['myForm']['namefrom']; ?>" tabindex="1"/></p>

<p><label for="emailfrom">Email <span class="required">*</span></label>
<input name="emailfrom" id="emailfrom" type="text" class="field" value="<?= $_SESSION['myForm']['emailfrom']; ?>" tabindex="3"/></p>

<p><label for="phone">Phone</label>
<input name="phone" id="phone" type="text" class="field" value="<?= $_SESSION['myForm']['phone']; ?>" tabindex="4"/></p>

<p><label for="message">Message <span class="required">*</span></label>
<textarea name="comments" id="comments" rows="10" cols="35" align="left" class="field" tabindex="6"><?= $_SESSION['myForm']['comments']; ?></textarea></p>

<p><label for="attachment">File Upload<br /></label>
<input name="attachment" id="attachment" type="file" tabindex="7">

<p><input align="left" type="submit" name="submit" id="submit" value="Send Email"  tabindex="8"/></p>
<p><input type="hidden" name="submitted"  value="true" /></p>
</form>

Carew answered 13/2, 2012 at 14:50 Comment(0)

Not sure if this is the problem or a copy paste thing but:

’PHP_SELF’

should really be

'PHP_SELF'

Have a look at the manual

Edit from rdlowrey's post: You shouldn't use the $_SERVER['PHP_SELF'] as it's not very secure. Simply leave the action attribute empty like this: action="". An empty action will cause the form to POST to the address where it originated (same as using PHP_SELF, but without the security disadvantages).

Clairvoyance answered 13/2, 2012 at 14:52 Comment(1)

Credit not necessary, just correctness. Downvote rescinded, upvote given. Everybody misses stuff (me for sure). What's important is editing your answer if someone finds something you left out or got wrong. – Jew 13/2, 2012 at 19:19

You have a couple of issues that no one else has mentioned. In full, your problems are:

First, you shouldn't use the $_SERVER['PHP_SELF'] as it's not very secure.
Second, you're using backticks instead of single quotes: $_SERVER[’PHP_SELF’] should be $_SERVER['PHP_SELF']
Third, your HTML is broken.

Consider the code you've specified:

class="action="<?php echo $_SERVER[’PHP_SELF’];?>" id="uploadform"

This specifies your form's class attribute as action= and leaves a random php snippet followed by an orphaned double quote character before the id attribute.

The correct <form> specification should be:

<form method="post" action="" id="uploadform" enctype="multipart/form-data">

UPDATE

As requested, here's some further explication of why $_SERVER['PHP_SELF'] is vulnerable to XSS attacks ...

First, understand that $_SERVER['PHP_SELF'] can be manipulated by the user. You might ask how this is possible. After all, for a script located at /mypage.php, shouldn't $_SERVER['PHP_SELF'] always equal /mypage.php?

Not necessarily.

Apache (and perhaps other servers I don't have experience with) utilize a lookback feature with URLs that allows it to look "backwards" down the URL for file matches if the full URL doesn't match a specific resource. For example, the following address will find a match in the mypage.php file if mypage.php is an actual readable file in the webroot and not the name of a directory:

http://domain.com/mypage.php/pretty-url <<--- apache serves up /mypage.php

At this point you may be thinking, "that's nice but how is that vulnerable to XSS?"

I'm glad you asked. Consider the following scenario:

You have a form at /mypage.php that uses $_SERVER['PHP_SELF'] in its action attribute.
A malicious user decides to put the following in her address bar:

http://domain.com/mypage.php/%22%3E%3Cscript%3Ealert('pwned')%3C/script%3E

Suddenly, the html you specified as:

<form action="<?php echo $_SERVER['PHP_SELF']; ?>">

Now renders like this:

<form action="/mypage.php/"><script>alert('pwned')</script>

This is a fairly innocuous example because all it does is popup an alert that says "pwned." However, a nefarious person could use javascript code like this to do much nastier things.

You could avoid this particular problem by using htmlentities on your $_SERVER['PHP_SELF'] variable, however, IMHO it's best just to avoid it altogether in this scenario.

Jew answered 13/2, 2012 at 14:58 Comment(2)

Could you explain a bit more about the problem with PHP_SELF? – Kirkkirkcaldy 18/2, 2012 at 22:59

@Kirkkirkcaldy Added an explanation as per your comment's request – Jew 19/2, 2012 at 1:21

-2

You seem to have copy-pasted the code.

Fix the ''. Notice you hve used ’ instead of '

Change $_SERVER[’PHP_SELF’] to $_SERVER['PHP_SELF']

Supertanker answered 13/2, 2012 at 14:53 Comment(1)

-1 $_SERVER['PHP_SELF'] is vulnerable to XSS attack. This should be mentioned. – Jew 13/2, 2012 at 15:10

Recommended topics

Hot tags