Why use $_SERVER['PHP_SELF'] instead of ""

Question

In a form on a PHP page, you can use:

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" ...>

or

<form action="#" ...>

or

<form action="" ...>

in the action attribute of the form. Since echo $_SERVER['PHP_SELF'] does not pass variables for using GET and you have to use "", why would you use that or "#"?

I'm asking because it took me some time to figure out that the variables are not passed with $_SERVER['PHP_SELF']. Thanks.

I don't really understand your question. What are you trying to achieve? Are you trying to pass GET-variables in the URL while sending a form via POST? — bartlaarhoven, Dec 30 '12 at 18:26
you can use argv to return the GET vars: http://php.net/manual/en/reserved.variables.server.php — sdjuan, Dec 30 '12 at 18:26
Well my main question is why would anyone ever use `$_SERVER['PHP_SELF']` when you can just use `action=""`? Also, I have a form on a page that has variables in the URL like www.example.com?id=43. If I used `$_SERVER['PHP_SELF']` it wouldn't get the variables but with `""`, it does. I know I could probably do `$_SERVER['PHP_SELF']?id=echo $id` but why do all that extra work when `""` works? — robk27, Dec 30 '12 at 18:32
I recall using a browser some years back that wouldn't submit the form without a fully qualified URL in action. The link from WC3 prefers that one removes the action attribute rather than action="": https://www.w3.org/TR/html5/forms.html#attr-fs-formaction — Kevin Delaney, Sep 14 '16 at 17:53
I know this is old, but the answer is that long ago, the action attribute was required, and according to the html spec, you were supposed to supply a complete URL as well. IE deviated from the spec and when the action attribute was missing or empty would post back to the source URL, firefox followed suit, but when webkit implemented it, they decided it should instead post back to the root of the site, so you couldn't use the missing/empty action and be cross browser compatible. Eventually webkit changed their implementation after the newer HTML specs were changed. — Robert McKee, Oct 01 '16 at 23:01

score 67 · Accepted Answer · answered Dec 30 '12 at 18:26

67

The action attribute will default to the current URL. It is the most reliable and easiest way to say "submit the form to the same place it came from".

There is no reason to use $_SERVER['PHP_SELF'], and # doesn't submit the form at all (unless there is a submit event handler attached that handles the submission).

answered Dec 30 '12 at 18:26

Niet the Dark Absol

320,036
81
464
592

24

According to the HTML standard (for HTML4 anyway), the `action` attribute is required and must have a URI (as defined by http://www.ietf.org/rfc/rfc2396.txt) or is otherwise undefined behavior (http://www.w3.org/TR/html401/interact/forms.html#adef-action). Is an empty string considered a valid URI? (It's worth noting that I alway use `action=""`; I'm just curious if we've all been relying on undefined behavior -- am reading the URI RFC now, but figure someone may already know.) – Corbin Dec 30 '12 at 18:28
1

I remember reading somewhere that in the HTML5 standard, the `action` attribute can be left blank. I will try to look for where I read that. – robk27 Dec 30 '12 at 18:35
9

In HTML5 the specification says that the `action` attribute is not mandatory. http://stackoverflow.com/a/7048874/582917 – CMCDragonkai Mar 21 '16 at 06:38

score 49 · Answer 2 · answered Dec 30 '12 at 18:27

49

Using an empty string is perfectly fine and actually much safer than simply using $_SERVER['PHP_SELF'].

When using $_SERVER['PHP_SELF'] it is very easy to inject malicious data by simply appending /<script>... after the whatever.php part of the URL so you should not use this method and stop using any PHP tutorial that suggests it.

answered Dec 30 '12 at 18:27

ThiefMaster

310,957
84
592
636

1

-1 If this is a concern, what server software are you using? If you are using a correctly-configured apache2 or nginx server, this shouldn't happen. – Tyzoid Aug 12 '14 at 22:50
1

Because you totally have the ability to modify the server config when using cheap-ass shared webspace like many people still do... – ThiefMaster Aug 12 '14 at 22:58
1

But will this really make a difference in this case? So the user injects JS onto *his version* of the page. He could have done this using inspector or firebug or any other tools available. Also, any security concerns of using a cheap shared server would outweigh this issue IMO. – Tyzoid Aug 12 '14 at 23:05
4

@Tyzoid it could potentially be someone _else's_ version of the page with a hyperlink, which is when you start running into trouble. For example, this innocuous-looking link: [http://www.google.com](http://example.com/mypage.php?MALICIOUS_JAVASCRIPT) – Ian Hunter Aug 13 '14 at 23:23
@IanHunter The issue then becomes moot when using `rawurlencode`/`htmlentities` *like every web developer should* when echoing user input. – Tyzoid Sep 01 '14 at 13:45
4

I doubt most people consider PHP_SELF to be user input. – ThiefMaster Sep 01 '14 at 14:05
What happens if you omit the action ? The html validators were complaining so took my blank actions out. – Rohit Gupta May 01 '15 at 02:38

score 27 · Answer 3 · answered Sep 06 '14 at 18:03

When you insert ANY variable into HTML, unless you want the browser to interpret the variable itself as HTML, it's best to use htmlspecialchars() on it. Among other things, it prevents hackers from inserting arbitrary HTML in your page.

The value of $_SERVER['PHP_SELF'] is taken directly from the URL entered in the browser. Therefore if you use it without htmlspecialchars(), you're allowing hackers to directly manipulate the output of your code.

For example, if I e-mail you a link to http://example.com/"><script>malicious_code_here()</script><span class=" and you have <form action="<?php echo $_SERVER['PHP_SELF'] ?>">, the output will be:

<form action="http://example.com/"><script>malicious_code_here()</script><span class="">

My script will run, and you will be none the wiser. If you were logged in, I may have stolen your cookies, or scraped confidential info from your page.

However, if you used <form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>">, the output would be:

<form action="http://example.com/&quot;&gt;&lt;script&gt;cookie_stealing_code()&lt;/script&gt;&lt;span class=&quot;">

When you submitted the form, you'd have a weird URL, but at least my evil script did not run.

On the other hand, if you used <form action="">, then the output would be the same no matter what I added to my link. This is the option I would recommend.

thanks, this is the best explanation I have come across for the last hour of reading up about it. — Rohit Gupta, May 01 '15 at 02:40

score 12 · Answer 4 · edited Feb 22 '18 at 13:28

I know that the question is two years old, but it was the first result of what I am looking for. I found a good answers and I hope I can help other users.

Look at this

I will make this brief:

use the $_SERVER["PHP_SELF"] Variable with htmlspecialchars():
```
`htmlspecialchars($_SERVER["PHP_SELF"]);`
```
PHP_SELF returns the filename of the currently executing script.
The htmlspecialchars() function converts special characters to HTML entities. --> NO XSS

maxxon15 · Answer 5 · 2013-08-30T15:50:11.937

0

In addition to above answers, another way of doing it is $_SERVER['PHP_SELF'] or simply using an empty string is to use __DIR__.
OR
If you're on a lower PHP version (<5.3), a more common alternative is to use dirname(__FILE__)
~~Both returns the folder name of the file in context.~~

EDIT
As Boann pointed out that this returns the on-disk location of the file. WHich you would not ideally expose as a url. In that case dirname($_SERVER['PHP_SELF']) can return the folder name of the file in context.

edited Aug 30 '13 at 15:50

answered Aug 25 '13 at 23:17

maxxon15

1,559
4
22
35

5

`__FILE__` and `__DIR__` are the on-disk location of the PHP file. `PHP_SELF` is the server-facing URL. Totally different. – Boann Aug 25 '13 at 23:58
@Boann Didn't know the difference until I did on a live server. In that case `dirname($_SERVER['PHP_SELF'])` can do the trick. Although the solution I gave here helped me on a windows machine with XAMPP installed. – maxxon15 Aug 26 '13 at 21:41

score -4 · Answer 6 · answered Dec 30 '12 at 20:54

-4

There is no difference. The $_SERVER['PHP_SELF'] just makes the execution time slower by like 0.000001 second.

answered Dec 30 '12 at 20:54

3

This is wrong, PHP_SELF might be dangerous: http://stackoverflow.com/a/14093363/3906760 – MrTux Sep 06 '14 at 18:59
2

I am going to start objecting now. PHP_SELF has nothing to do with danger. The issue is that **action=** should use **htmlspecialchars** regardless of what you put after it. – Rohit Gupta May 01 '15 at 03:34

Why use $_SERVER['PHP_SELF'] instead of ""

6 Answers6

Linked

Related