$_SERVER['SCRIPT_NAME']

SCRIPT_NAME solves all the problems mentioned in this thread              
 - it's just the script name, without any extra garbage                  
that might be tacked on by the user. PHP_SELF explicitly includes that           
extra garbage, so solutions in this thread that involve stripping the 
garbage off of PHP_SELF to make it safe are really, really missing the 
point - just use SCRIPT_NAME instead. Please don't use FORM ACTION=”"; 
according to the spec, what the browser does with that is undefined, so 
even if it works in current browsers, it might not work in future ones


SCRIPT_NAME解决本文提到的所有问题,它就是脚本的名字,没有其他额外的垃圾信息(这些垃圾信息可以能被用户提取)

PHP_SELF却显式的包含了这些信息

因此本文中涉及到剥离PHP_SELF这些信息以保安全的解决方法是非常非常····

用SCRIPT_NAME就是了。

别用<form action=''>

通过说明文档,浏览器遇到这种情况该怎样做是没有说明的,即使在本机浏览器上成功了,但也许不能在另一个浏览器中工作

转自:http://www.nyphp.org/list/talk-15339-serverphpself-not-working

posted @ 2012-03-08 15:05  myD  阅读(3097)  评论(0编辑  收藏  举报