18

What is the difference between:

$_SERVER['SCRIPT_NAME']

and

$_SERVER['PHP_SELF']

Thank you.

Jim
  • 181
  • 1
  • 1
  • 3
  • see: http://stackoverflow.com/questions/279966/php-self-vs-path-info-vs-script-name-vs-request-uri – amosrivera Jun 24 '11 at 16:25
  • 1
    You may also want to look into the magic constant \_\_FILE__ - http://php.net/manual/en/language.constants.predefined.php – dqhendricks Jun 24 '11 at 16:51

2 Answers2

12

They should contain the same information. However, historically and technically speaking, there is a difference between the two.

SCRIPT_NAME is defined in the CGI 1.1 specification, and therefore is a standard. This means it should be available no matter what scripting language you're using.

PHP_SELF is implemented directly by PHP, and as long as you're programming in PHP, it will be there.

Michael Irigoyen
  • 22,513
  • 17
  • 89
  • 131
  • The name `PHP_SELF` is unique to PHP, but since it is the entire URL path, it is actually a standard defined in IETF, under a different name. –  Dec 18 '15 at 20:52
7

Most of the time it's the same, but $_SERVER['SCRIPT_NAME'] is less spoofable than $_SERVER['PHP_SELF'], so you should use SCRIPT_NAME if you want to reuse that data somewhere on your output.

Check that article on different results obtained.

regilero
  • 29,806
  • 6
  • 60
  • 99
  • 1
    you should escape output of dynamic data regardless of how spoofable it is. – knittl Jun 24 '11 at 17:57
  • @knittl: yes, that's right, reusing it without proper escaping would be a security problem, but it would be far more dangerous with an easily spoofable one. – regilero Jun 24 '11 at 20:13
  • 1
    Yes, it is more spoofable, but only because it is the entire URL path (obtained after mod_rewrite). So, it depends what we need. If we need only the SCRIPT_NAME part, then OK, we use that. If we need the entire URL path, we use PHP_SELF and, of course, we should not trust it - it's the URL path. –  Dec 18 '15 at 20:54