$_SERVER['']; is a superglobal in PHP as we probably all know, and
superglobals can be bad bats, they can haunt us if we do not know
exactly what it does. While many readers certainly know what the issues
can be; I thought it would be good reference to write a tiny snippet
about it. The problem with this superglobal is obvious, it shows the
full path. And echoes the full URI back and everything a user put's
into an URI. And so forth, it's possible to execute XSS with it and
other malicious stuff.
Like:
http://www.site.com/page.php<script>alert('smack!');</script>
This becomes dangerous with forms:
<form action="<?=$_SERVER['PHP_SELF']);?>" method="POST">
An .htaccess entry can solve the path info abuse by putting this line in it:
AcceptPathInfo off
But it would be much better to handle this in your code yourself:
<form action="<?=htmlspecialchars($_SERVER['PHP_SELF']);?>" method="POST">
If you want to see what's inside the $GLOBALS try this:
var_dump($GLOBALS);
