In a tutorial the guy says it's important to put the PHP_SELF into htmlspecialchars() because of security reasons:
<form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" method="post">
What's insecure if you don't use it?
Thanks!
Asked
Active
Viewed 2.6k times
1
xitas
- 1,136
- 3
- 23
- 47
WeekendCoder
- 915
- 3
- 11
- 15
-
possible dupe: http://stackoverflow.com/q/6080022/3933332 – Rizier123 Mar 26 '15 at 14:31
1 Answers
4
htmlspecialchars replaces characters with special meaning in HTML with &-escaped entities. So, for example, ' becomes '. It doesn't turn %22 into ", however, because %22 has no special meaning in HTML, so it's safe to display it without modification.
If you want a form to be handled by the same URL that is used to display it, always use action="" rather than action=<?=$_SERVER['PHP_SELF']?> or action=<?=$_SERVER['REQUEST_URI']?>.
As you've already figured out, there are serious risks of cross-site scripting (XSS) if you use either of the $_SERVER variables, because they contain user input and therefore cannot be trusted. So, unless you have a good reason that you need to tweak the URL somehow, just use action="".
Nisse Engström
- 4,738
- 23
- 27
- 42
Vivek Singh
- 2,453
- 1
- 14
- 27