What is the reason of $_SERVER["PHP_SELF"]

Question

Does anyone know what the advantage (or security reason) is to not use the same page in the action of a PHP form.

So here is the current page specified as action:

<form action="welcome.php" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>

Here also but then via a super global of PHP

<form action="<?php echo $_SERVER["PHP_SELF"];?>" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>

The advantage is of course that it doesn't matter if you move the page or rename the file when you're using $_SERVER — adeneo, Mar 31 '15 at 12:20
[What are PHP_SELF exploits and how to avoid them](http://www.html-form-guide.com/php-form/php-form-action-self.html) — D4V1D, Mar 31 '15 at 12:21
Is that seriously the only advantage? Anyway, thanks for commenting! — Krooy_mans, Mar 31 '15 at 12:21

score 3 · Accepted Answer · edited May 23 '17 at 11:56

You shouldn't use $_SERVER["PHP_SELF"] in that way for security reasons. This is because you print the complete path including all parameters to your site and you have a XSS problem.

If you want to send your form to the same site you can very simple use the #.

<form action="#" method="post">

Or type in the complete filename that prevents to add all parameters to your website.

PHP_SELF and XSS

Here is another Post how to secure that part.

What is the reason of $_SERVER["PHP_SELF"]

1 Answers1