Click here to Skip to main content
14,485,082 members
Rate this:
Please Sign up or sign in to vote.
See more:
I've looked through around 10 similar questions, but there are more sophisticated cases with if-statements, functions, etc.
I have a problem with just one line of code.

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
</form>


What I have tried:

Enclosing
$_SERVER['PHP_SELF']
in paretheses, replacing double quotes with single ones, removing end php tag
?>
.
Posted
Updated 7-Aug-19 5:52am

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

The code you have should work; it is basically the same as the simple sample code found on multiple sites, however it is susceptible to XSS tampering.

The work-around for this vulnerability is to would be to html-encode the entities within the URL:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

References:
1. Using PHP_SELF in the action field of a form[^]
2. PHP 5 Form Validation[^]
   
Comments
johngaltisdead 7-Aug-19 12:38pm
   
@MadMyche, thank you.
I'd also like to ask, is htmlspecialchars the same as htmlentities?
MadMyche 7-Aug-19 12:55pm
   
No. HtmlSpecialChars is a subset of HtmlEntities and is limited to the most problematic characters

Reerence: https://johnmorrisonline.com/prevent-xss-attacks-escape-strings-in-php/

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100