php - I can't inject malicious code through $_SERVER["PHP_SELF"]

View Original

one text

I wanted to test php vulnerabilities but I could not get the $_SERVER["PHP_SELF"] exploit to work.

I have appended

/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E

to the url like they do in https://www.w3schools.com/php/php_form_validation.asp but I don't get an alert message.

I know that JavaScript works since I tested it by running the same command in the html body. Could this problem occur because I use php 8? or is there a problem with my syntax so that the program defaults to the same page?

my code:

<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
      Username: <Input type="text" name="username">
      Password: <Input type="password" name ="password">
      <Input type="submit">
</form>

Source
© 2021
E-mail: contact@webdevask.com
Back to top