$_SERVER['PHP_SELF'] intermittently returning two leading forward slashes

Why would $_SERVER['PHP_SELF'] return a filename in one instance as /test/foo.bar and another instance (executed from the same php script) as //test/foo.bar (with double leading forward slashes)?

form.php sends $_GET to login.开发者_如何学JAVAphp. login.php redirects to

header ('Location: test/foo.bar')

foo.bar includes:

$page = filter_var($_SERVER['SCRIPT_NAME'], FILTER_SANITIZE_STRING);

(Additionally, I cannot replicate it on demand. )

I'd guess you're building links in code somewhere (or maybe someone just typed in an extra slash somewhere). You might have some code along these lines:

function buildLink($site, $relPath, $text) {
    return "<a href=\"$site/$relPath\">$text</a>";
}

If $site is passed in with a trailing slash in some cases, you'd end up with the leading double slash when the server name was removed. Or if an absolute path was passed in. An extra slash won't affect which page is displayed, but it would still show up in the parsed url.

The value of $_SERVER['PHP_SELF'] depends on the actual request sent by the client. Apache allows multiple slashes between directory names, so it treats http://example/foo.php the same as http://example//foo.php -- both will call foo.php but the request URI will contain whatever the client requested.

If your script expects only one slash, you will have to manually strip the remaining.

You could try using $_SERVER['SCRIPT_NAME']. Take note that PHP_SELF is vulnerable to a few types of attack, so be careful when using it. You have to treat it as if it was user supplied input.