Why use $_SERVER['PHP_SELF'] instead of
The action
attribute will default to the current URL. It is the most reliable and easiest way to say "submit the form to the same place it came from".
There is no reason to use $_SERVER['PHP_SELF']
, and #
doesn't submit the form at all (unless there is a submit
event handler attached that handles the submission).
What is the alternative of $_SERVER['PHP_SELF']?
If you do a var_dump($_SERVER)
you will see all of the server variables you have available to you
$_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];
What's the difference between $_SERVER['PHP_SELF'] and $_SERVER['SCRIPT_NAME']?
Difference
http://sandbox.phpcode.eu/g/3e38d.php/test
Script name is absolute path to file.
PHP_SELF
is script you're currently in (along with "path" after .php
)
It's like $_SERVER['SERVER_NAME']
and $_SERVER['HTTP_HOST']
http://sandbox.phpcode.eu./g/f5093.php
http://sandbox.phpcode.eu/g/f5093.php
spot one difference
Using $_SERVER['PHP_SELF']; vs htmlentities($_SERVER['PHP_SELF']); for canonical link on https
The problem: The user can control the content of $_SERVER['PHP_SELF']
Let say your code is in index.php
So when you call https://www.yourserver.com/index.php your code will worked as expacted. But index.php will also called when someone will call
http://localhost/phpinfo.php/%22/%3E%3Cscript%3Ealert('Hello');%3C/script%3E%3Cbr
The part /%22/%3E%3Cscript%3Ealert('Hello');%3C/script%3E%3Cbr is called PATHINFO
When you try it, you will see that some javascript will also executed.
Some evil user can generate such a link with any javascript in it and send it by email to his victim in the hope he will click on it, his javascript will be execute on the victim browser. So may be he can steal the session id from that user and capture his session
which is good php_self or phpfilename.php
You shouldn't use PHP_SELF
its not really neaded the problem is if you echo that variable in a link for example you have XSS attack because all parameters are written to the site.
PHP_SELF and XSS
Here are some cool answers. So its better to use the complete name of the file and put the parameters you need filtered behind the filename.
Why does htmlspecialchars work on 'PHP_SELF' and not on 'REQUEST_URI' on form post?
It sounds like you're confusing htmlspecialchars
with urlencode
.
htmlspecialchars
replaces characters with special meaning in HTML with &
-escaped entities. So, for example, '
becomes '
. It doesn't turn %22
into "
, however, because %22
has no special meaning in HTML, so it's safe to display it without modification.
urlencode
replaces characters with special meaning in URLs with hexadecimal character codes using %
. So, for example, "
becomes %22
.
If you want a form to be handled by the same URL that is used to display it, always use action=""
rather than action=<?=$_SERVER['PHP_SELF']?>
or action=<?=$_SERVER['REQUEST_URI']?>
. As you've already figured out, there are serious risks of cross-site scripting (XSS) if you use either of the $_SERVER
variables, because they contain user input and therefore cannot be trusted. So, unless you have a good reason that you need to tweak the URL somehow, just use action=""
.
in_array($_SERVER[PHP_SELF], [/index.php, /tob.php]) keeps on returning false
Because in_array() will only search for an exact match of a string. You may be looking for strpos() as that will find the first occurrence of a substring in a string. You can use a loop through the array and using strpos() on each iteration to find tob.php
Related Topics
PHP Passing C Struct Data Throught Socket Programming
PHP Session Side-Effect Warning with Global Variables as a Source of Data
What's an Actual Use of Variable Variables
Mechanisms for Tracking Db Schema Changes
Laravel Eloquent Sum of Relation's Column
When Will _Destruct Not Be Called in PHP
How to Use Curl Instead of File_Get_Contents
Require(Vendor/Autoload.Php): Failed to Open Stream
Check Whether or Not a Cidr Subnet Contains an Ip Address
My Magento Extension Install Script Will Not Run
Why We Need Curlopt_Ssl_Verifypeer in Windows
Check Whether $_Post-Value Is Empty
Combinations, Dispositions and Permutations in PHP
How to Convert String to Boolean PHP
Best Way to Determine If a Url Is an Image in PHP
$_Server["Remote_Addr"] Gives Server Ip Rather Than Visitor Ip