The code you have should work; it is basically the same as the simple sample code found on multiple sites, however it is susceptible to XSS tampering.
The work-around for this vulnerability is to would be to html-encode the entities within the URL:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
References:
1.
Using PHP_SELF in the action field of a form[
^]
2.
PHP 5 Form Validation[
^]