All HTTP headers sent to the script are made available through the $_SERVER array, with names prefixed by 'HTTP_'.3. If login.php/nearly_arbitrary_string is requested, $_SERVER['PHP_SELF'] will contain not just login.php, but the entire login.php/nearly_arbitrary_string.
If you've printed $_SERVER['PHP_SELF'] as the value of the action attribute of your form tag without performing HTML encoding, an attacker can perform XSS attacks by offering users a link to your site such as this: tag an external file, with the submitted username and password as parameters.
Use $_SERVER['SCRIPT_NAME'] instead of $_SERVER['PHP_SELF']. HTML encode every string sent to the browser that should not be interpreted as HTML, unless you are absolutely certain that it cannot contain anything that the browser can interpret as HTML.
adultdatingfun com - Global address list is not updating on client
The entries in this array are created by the web server.
There is no guarantee that every web server will provide any of these; servers may omit some, or provide others not listed here.
That said, a large number of these variables are accounted for in the » CGI/1.1 specification, so you should be able to expect those. When the script is run on the command line, this gives C-style access to the command line parameters.
This simply means that it is available in all scopes throughout a script.
There is no need to do global $variable; to access it within functions or methods.
/* That will give you the result of each variable like (if the file is server_at the root and Apache Web directory is in E:\web) : PHP_SELF /server_argv - argc - GATEWAY_INTERFACE CGI/1.1 SERVER_ADDR 127.0.0.1 SERVER_NAME localhost SERVER_SOFTWARE Apache/2.2.22 (Win64) PHP/5.3.13 SERVER_PROTOCOL HTTP/1.1 REQUEST_METHOD GET REQUEST_TIME 1361542579 REQUEST_TIME_FLOAT - QUERY_STRING DOCUMENT_ROOT E:/web/ HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/ 1.All elements of the $_SERVER array whose keys begin with 'HTTP_' come from HTTP request headers and are not to be trusted.2.When called via the GET method, this will contain the query string.in order to get the physical (real) port, otherwise, this value can be spoofed and it may or may not return the physical port value.It is not safe to rely on this value in security-dependent contexts.Note: This is a 'superglobal', or automatic global, variable.