Php Form - Undefined Constant ’php_self’

I have a contact form, it works fine when hosted on my server, but when I uploaded it to my clients server I ran into problems. Please check out the page here: http://www.concepton

Solution 1:

Not sure if this is the problem or a copy paste thing but:

’PHP_SELF’

should really be

'PHP_SELF'

Have a look at the manual

Edit from rdlowrey's post: You shouldn't use the $_SERVER['PHP_SELF'] as it's not very secure. Simply leave the action attribute empty like this: action="". An empty action will cause the form to POST to the address where it originated (same as using PHP_SELF, but without the security disadvantages).

Solution 2:

You have a couple of issues that no one else has mentioned. In full, your problems are:

• First, you shouldn't use the $_SERVER['PHP_SELF'] as it's not very secure.
• Second, you're using backticks instead of single quotes: $_SERVER[’PHP_SELF’] should be $_SERVER['PHP_SELF']
• Third, your HTML is broken.

---

Consider the code you've specified:

class="action="<?phpecho$_SERVER[’PHP_SELF’];?>" id="uploadform"

This specifies your form's class attribute as action= and leaves a random php snippet followed by an orphaned double quote character before the id attribute.

The correct <form> specification should be:

<form method="post" action=""id="uploadform" enctype="multipart/form-data">

---

UPDATE

As requested, here's some further explication of why $_SERVER['PHP_SELF'] is vulnerable to XSS attacks ...

First, understand that $_SERVER['PHP_SELF'] can be manipulated by the user. You might ask how this is possible. After all, for a script located at /mypage.php, shouldn't $_SERVER['PHP_SELF'] always equal /mypage.php?

Not necessarily.

Apache (and perhaps other servers I don't have experience with) utilize a lookback feature with URLs that allows it to look "backwards" down the URL for file matches if the full URL doesn't match a specific resource. For example, the following address will find a match in the mypage.php file if mypage.php is an actual readable file in the webroot and not the name of a directory:

http://domain.com/mypage.php/pretty-url <<--- apache serves up /mypage.php

At this point you may be thinking, "that's nice but how is that vulnerable to XSS?"

I'm glad you asked. Consider the following scenario:

1. You have a form at /mypage.php that uses $_SERVER['PHP_SELF'] in its action attribute.
2. A malicious user decides to put the following in her address bar:

http://domain.com/mypage.php/%22%3E%3Cscript%3Ealert('pwned')%3C/script%3E

Suddenly, the html you specified as:

<formaction="<?phpecho$_SERVER['PHP_SELF']; ?>">

Now renders like this:

<formaction="/mypage.php/"><script>alert('pwned')</script>

This is a fairly innocuous example because all it does is popup an alert that says "pwned." However, a nefarious person could use javascript code like this to do much nastier things.

You could avoid this particular problem by using htmlentities on your $_SERVER['PHP_SELF'] variable, however, IMHO it's best just to avoid it altogether in this scenario.

Solution 3:

You seem to have copy-pasted the code.

Fix the ''. Notice you hve used ’ instead of '

Change $_SERVER[’PHP_SELF’] to $_SERVER['PHP_SELF']