Click here to Skip to main content
14,868,300 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I've looked through around 10 similar questions, but there are more sophisticated cases with if-statements, functions, etc.
I have a problem with just one line of code.

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

What I have tried:

in paretheses, replacing double quotes with single ones, removing end php tag
Updated 7-Aug-19 5:52am

1 solution

The code you have should work; it is basically the same as the simple sample code found on multiple sites, however it is susceptible to XSS tampering.

The work-around for this vulnerability is to would be to html-encode the entities within the URL:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

1. Using PHP_SELF in the action field of a form[^]
2. PHP 5 Form Validation[^]
johngaltisdead 7-Aug-19 12:38pm
@MadMyche, thank you.
I'd also like to ask, is htmlspecialchars the same as htmlentities?
MadMyche 7-Aug-19 12:55pm
No. HtmlSpecialChars is a subset of HtmlEntities and is limited to the most problematic characters


This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900