$_SERVER['PHP_SELF'] and $_GET in action attribute

Asked Sep 28 '15 at 11:50

Active Sep 28 '15 at 11:50

Viewed 314 times

Is there any security issues when combining $_SERVER['PHP_SELF'] and $_GET in action form attribute like this:

$id = $_GET['id'];

echo "<form name='name' action='".htmlspecialchars($_SERVER['PHP_SELF']."?id=".urlencode($id), ENT_QUOTES, 'utf-8')."' method='post'></form>";

Is this correct way of using htmlspecialchars and urlencode?

Cheers,

Nikola

asked Sep 28 '15 at 11:50

Nikola Bogdanic

you can post the $id in a hidden field. – NIRANJAN S. Sep 28 '15 at 11:52
possible duplicate of [Sanitizing user's data in GET by PHP](http://stackoverflow.com/questions/1314518/sanitizing-users-data-in-get-by-php) – Machavity Sep 28 '15 at 12:23

$_SERVER['PHP_SELF'] and $_GET in action attribute

0 Answers0