Why Use $_Server['Php_Self'] Instead of ""

Why use $_SERVER['PHP_SELF'] instead of

The action attribute will default to the current URL. It is the most reliable and easiest way to say "submit the form to the same place it came from".

There is no reason to use $_SERVER['PHP_SELF'], and # doesn't submit the form at all (unless there is a submit event handler attached that handles the submission).

What is the alternative of $_SERVER['PHP_SELF']?

If you do a var_dump($_SERVER) you will see all of the server variables you have available to you

$_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];

What's the difference between $_SERVER['PHP_SELF'] and $_SERVER['SCRIPT_NAME']?

Difference

http://sandbox.phpcode.eu/g/3e38d.php/test

Script name is absolute path to file.

PHP_SELF is script you're currently in (along with "path" after .php)

It's like $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST']

http://sandbox.phpcode.eu./g/f5093.php

http://sandbox.phpcode.eu/g/f5093.php

spot one difference

Using $_SERVER['PHP_SELF']; vs htmlentities($_SERVER['PHP_SELF']); for canonical link on https

The problem: The user can control the content of $_SERVER['PHP_SELF']

Let say your code is in index.php

So when you call https://www.yourserver.com/index.php your code will worked as expacted. But index.php will also called when someone will call

http://localhost/phpinfo.php/%22/%3E%3Cscript%3Ealert('Hello');%3C/script%3E%3Cbr

The part /%22/%3E%3Cscript%3Ealert('Hello');%3C/script%3E%3Cbr is called PATHINFO

When you try it, you will see that some javascript will also executed.

Some evil user can generate such a link with any javascript in it and send it by email to his victim in the hope he will click on it, his javascript will be execute on the victim browser. So may be he can steal the session id from that user and capture his session

which is good php_self or phpfilename.php

You shouldn't use PHP_SELF its not really neaded the problem is if you echo that variable in a link for example you have XSS attack because all parameters are written to the site.

PHP_SELF and XSS

Here are some cool answers. So its better to use the complete name of the file and put the parameters you need filtered behind the filename.

Why does htmlspecialchars work on 'PHP_SELF' and not on 'REQUEST_URI' on form post?

It sounds like you're confusing htmlspecialchars with urlencode.

htmlspecialchars replaces characters with special meaning in HTML with &-escaped entities. So, for example, ' becomes '. It doesn't turn %22 into ", however, because %22 has no special meaning in HTML, so it's safe to display it without modification.

urlencode replaces characters with special meaning in URLs with hexadecimal character codes using %. So, for example, " becomes %22.

If you want a form to be handled by the same URL that is used to display it, always use action="" rather than action=<?=$_SERVER['PHP_SELF']?> or action=<?=$_SERVER['REQUEST_URI']?>. As you've already figured out, there are serious risks of cross-site scripting (XSS) if you use either of the $_SERVER variables, because they contain user input and therefore cannot be trusted. So, unless you have a good reason that you need to tweak the URL somehow, just use action="".

in_array($_SERVER[PHP_SELF], [/index.php, /tob.php]) keeps on returning false

Because in_array() will only search for an exact match of a string. You may be looking for strpos() as that will find the first occurrence of a substring in a string. You can use a loop through the array and using strpos() on each iteration to find tob.php

Why Use $_Server['Php_Self'] Instead of ""