javascript python java c# php android html jquery c++ css ios mysql sql r node.js arrays reactjs c asp.net json ruby-on-rails .net sql-server swift python-3.x objective-c django angular angularjs excel regex pandas ruby iphone ajax linux xml vba asp.net-mvc spring laravel database wordpress typescript string wpf mongodb windows xcode postgresql bash oracle git vb.net amazon-web-services multithreading list firebase flutter eclipse spring-boot dataframe azure react-native algorithm docker macos forms image visual-studio scala powershell function twitter-bootstrap numpy api performance selenium winforms python-2.7 matlab vue.js sqlite apache hibernate entity-framework loops rest shell facebook express android-studio csv linq maven qt swing unit-testing file tensorflow

[ACCEPTED]-How To Identify The Requested Page In PHP-php

Accepted answer
Score: 26

I decided to test it out myself. The $_SERVER['SCRIPT_NAME'] variable 12 serves up the path to the requested file, even 11 if it's an index file, and without get parameters 10 or anything else. The PHP documentation 9 states this contains the path of the file, but 8 it seems to be relative to the document 7 root, just like PHP_SELF, but without the security 6 vulnerability.

Here is the code I used to 5 test this: https://gist.github.com/dimo414/5484870

The output when requesting example.com/?foo=bar:

__FILE__:               /var/www/index.php
PHP_SELF:               /index.php
SCRIPT_NAME:            /index.php
REQUEST_URI:            /?foo=bar
parse_url(REQUEST_URI): /


__FILE__:               /var/www/pathtest.php
PHP_SELF:               /index.php
SCRIPT_NAME:            /index.php
REQUEST_URI:            /?foo=bar
parse_url(REQUEST_URI): /

And 4 the output when requesting example.com/index.php/<strong>XSS</strong>:

__FILE__:               /var/www/index.php
PHP_SELF:               /index.php/XSS # note the XSS exploit (this is bold in browser)
SCRIPT_NAME:            /index.php     # No exploit here
REQUEST_URI:            /index.php/%3Cstrong%3EXSS%3C/strong%3E
parse_url(REQUEST_URI): /index.php/%3Cstrong%3EXSS%3C/strong%3E


__FILE__:               /var/www/pathtest.php
PHP_SELF:               /index.php/XSS
SCRIPT_NAME:            /index.php
REQUEST_URI:            /index.php/%3Cstrong%3EXSS%3C/strong%3E
parse_url(REQUEST_URI): /index.php/%3Cstrong%3EXSS%3C/strong%3E

As you can see, $_SERVER['SCRIPT_NAME'] always 3 gives back the file that originally handled 2 the request, i.e. the file in the URL, without 1 any XSS risks.

Score: 6 
$_SERVER['PHP_SELF']

Should return the actual script. But there 4 are various methods.

I had a better link to a matrix of 3 all the various file-related environment 2 variables but I can't find it. I'll edit 1 if it turns up.

Edit: I found a nice SO thread that details the differences between them.

Score: 2

Go get file name from the requested URL 3 use following code.

basename($_SERVER['URL']);
basename($_SERVER['REQUEST_URI']);
basename($_SERVER['SCRIPT_NAME']);
basename($_SERVER['SCRIPT_FILENAME']);
basename($_SERVER['REQUEST_URI']);
basename($_SERVER['PATH_TRANSLATED']);
basename($_SERVER['PHP_SELF']);

use any one all all of 2 those in the nested if condition so you 1 will not miss file name any how.

Score: 0
  1. parse_url($_SERVER['REQUEST_URI']) and then pathinfo($path) to get requested filename
  2. $_SERVER['PHP_SELF'] to get real filename
  3. $_SERVER['SCRIPT_NAME'] to get real filename

0

Source: stackoverflow.com

More Related questions

How do I install the php_gd2 extension in MAMP on a Mac?

Hidden Features of PHP?

Set up Apache for local development/testing?

Sort Object in PHP

php check for a valid date, weird date conversions

Why is require_once so bad to use?

How do you convert an image to black and white in PHP

PhpMailer vs. SwiftMailer?

How can I find the Largest Common Substring between two strings in PHP?

Create an Array of the Last 30 Days Using PHP