-2

I normally use below method whenever I have to submit a form,

<?php 
    session_start();
    //my code

 ?>
<!DOCTYPE HTML>
<html>
     <form action="<?php echo $_SERVER["PHP_SELF"] ?>" method="post">
     <!--my code -->
</html>

The reason I'm worrying is whether a user will be able to see my php code if I use my whole php code with a html file which goes directly to the user, is there a risk that user will ever be able to see my php code ?

chris85
  • 23,846
  • 7
  • 34
  • 51
lasan
  • 199
  • 1
  • 13
  • 1
    See your PHP code? No. `$_SERVER["PHP_SELF"]` can be manipulated to XSS inject your page. See http://stackoverflow.com/questions/6080022/php-self-and-xss – chris85 Jun 03 '16 at 14:39
  • Nope. the user isn't capable of seeing your codes. but I do recommend keeping it separate. you'll get that a lot when starting OOP, esp. in an MVC pattern but don't worry about this much – Slim Shady Jun 03 '16 at 15:08

2 Answers2

4

All <?php ... ?> code never leaves your server - it is parsed by PHP interpreter into raw HTML, so end user won't see anything server-related.

Dmitriy Khudorozhkov
  • 1,624
  • 12
  • 24
2

User cant see your PHP code, but it is not a good way. Using an empty string is best practices and actually much safer than simply using $_SERVER['PHP_SELF'].

When using $_SERVER['PHP_SELF'] it is really easy to inject malicious data by simply appending /<script> after the every.php part of the URL so do not use this method and stop using any PHP tutorials that suggest it.

SonDang
  • 1,468
  • 1
  • 15
  • 21