Why use $_SERVER['PHP_SELF'] instead of ""

forms php

In a form on a PHP page, you can use: 

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" ...>

or

<form action="#" ...>

or

<form action="" ...>

in the action attribute of the form. Since echo $_SERVER['PHP_SELF'] does not pass variables for using GET and you have to use "", why would you use that or "#"?

I'm asking because it took me some time to figure out that the variables are not passed with $_SERVER['PHP_SELF']. Thanks.


The action attribute will default to the current URL. It is the most reliable and easiest way to say "submit the form to the same place it came from".

There is no reason to use $_SERVER['PHP_SELF'], and # doesn't submit the form at all (unless there is a submit event handler attached that handles the submission).


Using an empty string is perfectly fine and actually much safer than simply using $_SERVER['PHP_SELF'].

When using $_SERVER['PHP_SELF'] it is very easy to inject malicious data by simply appending /<script>... after the whatever.php part of the URL so you should not use this method and stop using any PHP tutorial that suggests it.


When you insert ANY variable into HTML, unless you want the browser to interpret the variable itself as HTML, it's best to use htmlspecialchars() on it. Among other things, it prevents hackers from inserting arbitrary HTML in your page.

The value of $_SERVER['PHP_SELF'] is taken directly from the URL entered in the browser. Therefore if you use it without htmlspecialchars(), you're allowing hackers to directly manipulate the output of your code.

For example, if I e-mail you a link to http://example.com/"><script>malicious_code_here()</script><span class=" and you have <form action="<?php echo $_SERVER['PHP_SELF'] ?>">, the output will be:

<form action="http://example.com/"><script>malicious_code_here()</script><span class="">

My script will run, and you will be none the wiser. If you were logged in, I may have stolen your cookies, or scraped confidential info from your page.

However, if you used <form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>">, the output would be:

<form action="http://example.com/&quot;&gt;&lt;script&gt;cookie_stealing_code()&lt;/script&gt;&lt;span class=&quot;">

When you submitted the form, you'd have a weird URL, but at least my evil script did not run.

On the other hand, if you used <form action="">, then the output would be the same no matter what I added to my link. This is the option I would recommend.


I know that the question is two years old, but it was the first result of what I am looking for. I found a good answers and I hope I can help other users.

Look at this

I will make this brief:

  • use the $_SERVER["PHP_SELF"] Variable with htmlspecialchars(): 

    `htmlspecialchars($_SERVER["PHP_SELF"]);`

  • PHP_SELF returns the filename of the currently executing script.

  • The htmlspecialchars() function converts special characters to HTML entities. --> NO XSS

Related

How to run a Task on a custom TaskScheduler using await?
How to rerun the failed scenarios using Cucumber?
How do I programmatically disable hardware prefetching?
ES6 Class: access to 'this' with 'addEventListener' applied on method [duplicate]
Sublime Text 2: custom PATH and PYTHONPATH
A SQL Query to select a string between two known strings
Java change áéőűú to aeouu [duplicate]
How to access the php.ini file in godaddy shared hosting linux
Cancel notification on remove application from multitask panel
How do you get leading wildcard full-text searches to work in SQL Server?
Floating an image to the bottom right with text wrapping around
How to get around the Scala case class limit of 22 fields?