-1

Usually when posting forms in php I use 

<form action="" method="POST">
//somtehing something
</form>

But in the last few hours while surfing stackoverflow I encountered two different threads both of which claiming one method more secure over other. Now I am confused which one is secure method

First post was claiming that form 

action=""

is more secure over form 

action="<?$_SERVER['PHP_SELF']"

Now I am confused which one should I go with. I request some senior members here to throw some light on this topic. And please also explain if I use one method over another then why it is more secure

Community
  • 1
  • 1
Khan Shahrukh
  • 6,109
  • 4
  • 33
  • 43
  • `action="$_SERVER['PHP_SELF']"` actually won't do anything unless you actually echo it.. `= .. ?>` or `` – Damien Overeem Sep 06 '14 at 17:53
  • To be fair, none of the answers explained how PHP_SELF could be exploited. I have added an answer which attempts to do so: http://stackoverflow.com/a/25703224/387347 – Mark Eirich Sep 06 '14 at 18:04

1 Answers1

2

As stated by MrTux, the preferred way is to leave the action attribute empty.

The options of filling it with $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] will leave your script open for cross-site scripting.

Read the comments by MrTux for further details.

So just leave the action attribute out completely from your form tag, which will automatically default to the current page and you'll be fine.

Damien Overeem
  • 4,487
  • 4
  • 36
  • 55
  • Well, actually there is. If you just use ```action="=$_SERVER['PHP_SELF']"``` in PHP, then just add ```?"><"``` to the URL and see what happens... – MrTux Sep 06 '14 at 17:28
  • @MrTux What you say would be true for REQUEST_URI, but PHP_SELF doesn't include the variables. – Boann Sep 06 '14 at 17:31
  • 1
    Your're right ;), but it doesn't solve the issue. Just add ```/"><"``` at the end (as PATH_INFO instead of QUERY_STRING). Same problem – MrTux Sep 06 '14 at 17:33
  • @MrTux indeed a good catch... Add your answer and I'll delete this one. I always ended up using empty action, but never considered the cross-site scripting implication of actually using php_self. If you can't be bothered to add your answer, I'll edit mine with your information so the question has a solid answer. Again: nice catch.. – Damien Overeem Sep 06 '14 at 17:56
  • This question is closed, no way to add answers. Feel free to edit yours ;) – MrTux Sep 06 '14 at 18:47