0

Let's say I have a form on my website homepage: www.mysite.com

Now, the form tag looks like this:

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
...
</form>

When that form submits, it does everything it's suppose to. But it also reloads the page with the full filename and extension. So the user will now find the URL in the address bar is: www.mysite/index.php

Is there a way to make the form fire to the same page without adding this extension?

There may be situations where the form is as an include in a footer, so I cann't be specific about the page the form needs to fire to, hense the PHP_SELF code.

CaribouCode
  • 13,998
  • 28
  • 102
  • 174
  • I'm not sure what are you trying to do here. Are you trying to redirect the user to a different page after the form has been submitted? – Amal Murali Sep 23 '13 at 15:11
  • try changing $_SERVER['PHP_SELF'] to $_SERVER['SERVER_NAME'] maybe ? – Maximus2012 Sep 23 '13 at 15:11
  • @AmalMurali No, after the form submits, I want the user to still be on the same page. – CaribouCode Sep 23 '13 at 15:12
  • PHP_SELF is evil as it allows for xss. Use SCRIPT_NAME instead. – Christoph Diegelmann Sep 23 '13 at 15:12
  • @Christoph I see a lot of people say that, but I honestly don't understand why. Do you have a link to support your claim? – Niet the Dark Absol Sep 23 '13 at 15:18
  • @Kolink I've got an german article that it describes pretty good. Basicly it's because you can add costum data behind the url like `/subdir/mypath.php/">
     – Christoph Diegelmann Sep 23 '13 at 15:26
  • @Christoph But doesn't that still result in `/subdir/mypath.php`? `$_SERVER['PHP_SELF']` refers to the script that is being run, isn't that stripped of all stuff added to it? I can understand this would be a risk with `$_SERVER['REQUEST_URI']`, but surely this isn't a problem with `PHP_SELF`? – Niet the Dark Absol Sep 23 '13 at 15:29
  • @Kolink that's the problem PHP_SELF doesn't strip this (at least under Apache as the author of http://blog.oncode.info/2008/05/07/php_self-ist-boese-potentielles-cross-site-scripting-xss/ states (maybe you can let google translate it)). SCRIPT_NAME strips it. – Christoph Diegelmann Sep 23 '13 at 15:31

3 Answers3

3

That's because $_SERVER['PHP_SELF'] refers to the actual filename of the current script.

Try this:

<form action="" method="post">

An empty action will post back to the current URL.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
  • Ah right. I've heard somewhere that using an HTML base tag would screw this up though. Is that true? – CaribouCode Sep 23 '13 at 15:14
  • I... have no idea. I don't think so, but I really can't say since I've never used `` tags. – Niet the Dark Absol Sep 23 '13 at 15:15
  • OK, it's just because I use base tag every now and then so didn't want a conflict. Nonetheless this will certainly work for my current project so I'll accept the answer. Cheers! – CaribouCode Sep 23 '13 at 15:17
2

Try setting the action to #: 

<form action="#" method="post">
...
</form>

The # refers to the current page.

Amal Murali
  • 75,622
  • 18
  • 128
  • 150
Mike
  • 2,132
  • 3
  • 20
  • 33
  • Is there a reason why a hashtag should be used instead of leaving it empty? – CaribouCode Sep 23 '13 at 15:15
  • I really hate leaving things empty, personally, because it looks like an oversight, or like I meant to come back, whereas having a character there clearly shows that I intended it to be that way. – Mike Sep 23 '13 at 15:17
  • I found this discussion on the topic, anyone interested should at least give this a glance: http://stackoverflow.com/questions/1131781/is-it-a-good-practice-to-use-an-empty-url-for-a-html-forms-action-attribute-a – Mike Sep 23 '13 at 15:18
  • 1
    # actually refers to an ID on the page, but if it is blank it will end up being the top of the page. You can use it to link to a certain section of the page with #nameOfDOMId – EliteTech Sep 23 '13 at 15:45
1

Try changing action to #, this post to the current page.

Edit: Mike beat me to it.

Edit 2: It looks like you can leave out the action all together and it will default to the same page.

Edit 3: Mike beat me to that one too.

EliteTech
  • 386
  • 3
  • 13