Doubt regarding form submission

[rocky_88]

I'm not sure if this is exactly a coding help question, excuse me if its not.

 

I want to know what is the best & secure way to submit a form to itself.

I've tried to google the answer, but did not get a proper answer with explanation or may be I didnt use proper keywords to search it.

 

Out of these which one do i use?

 

// Leave the action field empty.

<form method="POST" action="">

//$PHP_SELF, also if i use echo $PHP_SELF my form does not work like it should.

<form method="POST" action="<?$PHP_SELF?>">

//$_SERVER['PHP_SELF'], same problem as $PHP_SELF, it doesnt work if i use echo.
<form method="POST" action="<?$_SERVER['PHP_SELF']?>">

[JKG]

you need to echo

<form method="POST" name="form1" action="<?php echo $_SERVER['PHP_SELF']; ?>">

 

[rocky_88]

@JKG

 

Thank you for replying,

if I echo $_SERVER['PHP_SELF']; I get an error when i submit my form.

If I do not echo it or remove the action attribute, it works just fine.

 

As i've read, $_SERVER['PHP_SELF'] gets the current file name and then we echo it into the action.

But I do not want that as I can manually type the file name into the action field.

The URL of my page contains the file name followed by a variable with value. Using that variable value from the URL my page displays data onto the page. So as soon as I submit the form, the variable from the URL is removed(replaced by the file name ONLY) which causes the error.This is the reason i get an error if I echo $_SERVER['PHP_SELF'];

 

So I wanted to know if it is safe to exclude the action attribute of the form? Is it the right way of doing it in my case?

[JKG]

oh i see.

what is your url, you might want to use request_uri if you are using modrewrite or url parameters.

 

leaving the action blank just uses current page, i dont think there is anything wrong with that particularly, but i always prefer to define the action script/page.

[rocky_88]

@JKG

 

Well i have a table which contains 4 fields. Id, username, name & age.

On the web page the id value is appended to the link which opens a new page containing user details.

I'm using that id from the link to display data onto the new page.

But it looks like I am logically wrong somewhere as i'm getting too many errors.

 

Leaving form action empty doesnt cause any security issue right?

Like vulnerability to XSS in the case of $_SERVER['PHP_SELF'];?

[fugix]

There are tential security risks from using php_self. I recommend using action='#' instead. Does the same thing without the security risks

[rocky_88]

@fugix

 

Thank you for replying,

So is it ideal to set the form action="#" if the form has to be submitted onto the same page regardless of my case here?

Coz all my form submit onto the same page before navigating to another.

[fugix]

then you would use action='#' yes

[rocky_88]

@fugix

 

Thanks for the solution and confirmation.

 

@JKG

 

Thanks for the assist.

[fugix]

glad we could help

[cyberRobot]

I usually use the actual file name in the action attribute. So if the form page is called "myform.php", I'll use action="myform.php".

 

I've heard there are security issues with setting the action tag to be blank or "#", but I haven't seen anything on what those security risks are. I suppose it has something to do with the GET variables being included in the action attribute.

 

In other words, if you call the form as:

www.mywebsite.com/myform.php?id=1

 

The action attribute would be set to:

action="myform.php?id=1"

 

If register globals is turned on, there could be an issue with GET data interfering with POST data.

[fugix]

if you are using am action dynamically then yes you would use the actually file name, if not then # will suffice

[cyberRobot]

Ok, it turns out that the GET variables are only carried through if you leave the action attribute blank.