Why use $_SERVER['PHP_SELF'] instead of ""
In a form on a PHP page, you can use:
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" ...>
or
<form action="#" ...>
or
<form action="" ...>
in the action attribute of the form. Since echo $_SERVER['PHP_SELF']
does not pass variables for using GET
and you have to use ""
, why would you use that or "#"
?
I'm asking because it took me some time to figure out that the variables are not passed with $_SERVER['PHP_SELF']
. Thanks.
The action
attribute will default to the current URL. It is the most reliable and easiest way to say "submit the form to the same place it came from".
There is no reason to use $_SERVER['PHP_SELF']
, and #
doesn't submit the form at all (unless there is a submit
event handler attached that handles the submission).
Using an empty string is perfectly fine and actually much safer than simply using $_SERVER['PHP_SELF']
.
When using $_SERVER['PHP_SELF']
it is very easy to inject malicious data by simply appending /<script>...
after the whatever.php
part of the URL so you should not use this method and stop using any PHP tutorial that suggests it.
When you insert ANY variable into HTML, unless you want the browser to interpret the variable itself as HTML, it's best to use htmlspecialchars()
on it. Among other things, it prevents hackers from inserting arbitrary HTML in your page.
The value of $_SERVER['PHP_SELF']
is taken directly from the URL entered in the browser. Therefore if you use it without htmlspecialchars()
, you're allowing hackers to directly manipulate the output of your code.
For example, if I e-mail you a link to http://example.com/"><script>malicious_code_here()</script><span class="
and you have <form action="<?php echo $_SERVER['PHP_SELF'] ?>">
, the output will be:
<form action="http://example.com/"><script>malicious_code_here()</script><span class="">
My script will run, and you will be none the wiser. If you were logged in, I may have stolen your cookies, or scraped confidential info from your page.
However, if you used <form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>">
, the output would be:
<form action="http://example.com/"><script>cookie_stealing_code()</script><span class="">
When you submitted the form, you'd have a weird URL, but at least my evil script did not run.
On the other hand, if you used <form action="">
, then the output would be the same no matter what I added to my link. This is the option I would recommend.
I know that the question is two years old, but it was the first result of what I am looking for. I found a good answers and I hope I can help other users.
Look at this
I will make this brief:
-
use the
$_SERVER["PHP_SELF"]
Variable withhtmlspecialchars
():`htmlspecialchars($_SERVER["PHP_SELF"]);`
PHP_SELF returns the filename of the currently executing script.
- The
htmlspecialchars
() function converts special characters to HTML entities. --> NO XSS