Don't trust PHP_SELF

Sean Coates points out why $_SERVER[“PHP_SELF”] must be considered unsafe. You should never use it without at least converting it to entities:

print htmlentities($_SERVER['PHP_SELF']);

This offers me the chance to again repeat one of my mantras: Create a function for everything, at least when reading values from somewhere, even for something simple like retrieving the value of PHP_SELF. The reason is maintenance: If you haven’t previously validated the value of PHP_SELF there will be only one place to change, instead of checking all your code.

Here’s my implementation:

 * Static returns the recent URL.
 * @param Boolean Indicated if query string (?...) should be included or not
 * @returns String
function recentURL($includeParams) {
  $http = "";
  if ($includeParams)
    $http = $_SERVER["REQUEST_URI"];
  } else {
    $http = $_SERVER["PHP_SELF"];      
  return toSafeURL($http);
 * Static. Processes an URL to strip of possible injection code 
 * @param String The URL to process 
 * @return String The cleaned URL
function toSafeURL($url) {
  return htmlentities(strip_tags($url));

Published: January 11 2006