1

So recently I've been using action="form.php" in my forms. But now I see that you can do without needing an action, since the PHP and the form are in the same file. Which way would be more secure. A PHP file by itself, followed by another file taking care of the form or both combined?

So would I do? Is it safer? 

<?php
$name = $_POST['name'];
?>
<form method="post">
<input type="text" name="name">
<input type="submit>
</form>
  • Could you clarify the question? Are you asking WHETHER the PHP and form should be in the same file, or are you asking the best way to have the form point to PHP that's in the same file? – Barmar Apr 18 '14 at 20:45
  • I'm asking whether it should be in the same file. –  Apr 18 '14 at 20:46
  • That's purely a stylistic choice, it shouldn't make any security difference. – Barmar Apr 18 '14 at 20:49
  • @user302975 if you're learning I would suggest that you start learning along with a Template Library it will make your life such much easier when having to deal with HTML and PHP as well as when having to change the HTML without having to change all your code. Smarty PHP is one library you could start with which is very simple to use but if you're using a Framework some of them already have one embed. – Prix Apr 18 '14 at 20:51

1 Answers1

0

user <?php echo $_SERVER['PHP_SELF'];?>

<html>
<body>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
<table border="0">
<tr><td> Subject:</td><td> <input type="text" name="subject" /></td></tr>
<tr><td> Message:</td><td> <input type="text" name="message" /></td></tr>
<tr><td> <input type="submit" value="Submit" name="submit"/></td><td><input type="reset" value="Clear" /></td></tr>
</table>
</form>
</body>
</html>
<?php
    if(isset($_POST['submit']))
{
    $subject  = $_REQUEST['subject'];
    $message = $_REQUEST['message'];
    $email = "example@test.com";
    mail($email, $subject, $message);
    echo "<center>Email sent</center>";
}

?>
Pedro Lobito
  • 94,083
  • 31
  • 258
  • 268
  • 2
    `PHP_SELF` is not a good choice. Use `SCRIPT_FILENAME` if available. http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/ – Jonathan Kuhn Apr 18 '14 at 20:43
  • I also believe it would be $_SERVER['PHP_SELF'], would it not? – dsimer Apr 18 '14 at 20:44
  • So what would be safer? –  Apr 18 '14 at 20:45
  • @user302975 there's actually no difference in regards to safety. – Pedro Lobito Apr 18 '14 at 20:46
  • What about speed? Is there any difference at all? –  Apr 18 '14 at 20:47
  • @Tuga not true. Using `PHP_SELF` is insecure and allows for crafted urls to inject html/script. – Jonathan Kuhn Apr 18 '14 at 20:47
  • 1
    It's slightly faster to leave out the `action` attribute, since the file will be shorter and it's another variable for PHP to expand. The browser automatically uses the current document as a default, there's no speed difference there. – Barmar Apr 18 '14 at 20:48
  • @Tuga Nope. As in it is possible to send someone a link that they click on and it injects html/javascript into the source of the page. For example you could send someone an email with a link that redirects a login form to another site to capture their credentials. – Jonathan Kuhn Apr 18 '14 at 20:51
  • I actually read Jonathan Kuhn's linked article and it suggests leaving action blank or at worst running it through admin_url(). – dsimer Apr 18 '14 at 20:52
  • the article is about worpress and dates `2009/09/21`, too much bla bla – Pedro Lobito Apr 18 '14 at 20:56
  • 2
    lol, because the age of a security issue makes it less of a problem, even if it still exists. – Jonathan Kuhn Apr 18 '14 at 20:58
  • @Tuga regardless, if you look at the examples he posts, it's not hard to imagine it translating to other platforms and general coding, depending upon your background. I wouldn't be so quick to discount, necessarily. Besides, isn't action="" less typo-prone? :p – dsimer Apr 18 '14 at 21:00
  • @Jonathan here, here. – dsimer Apr 18 '14 at 21:01
  • @Tuga: if you are responding to a post operation, it's a good idea to set a session variable, redirect using `header()` and then `exit()`. You can then access the session var to see whether to print a confirmation message. This approach prevents [problems with the back button](http://stackoverflow.com/questions/660329/prevent-back-button-from-showing-post-confirmation-alert). – halfer Apr 18 '14 at 21:30