Sanitize form action

[Eiolon]

In my form tag, I have been leaving the action field blank, which I read is not good.  I read from one source that putting a # symbol in its place would be good, then I read the contrary elsewhere.  What would be a good value to place in my action field?  All my php processing is done on the same page so I do not link to a separate page.

[Xtremer360]

As far as I know you can just put the name of the file as the action tag  value or you can do action="<?php echo $_SERVER['PHP_SELF']; ?>". I hope that helps.

[QuickOldCar]

$_SERVER['PHP_SELF'] is not good to use as this can leave an xss attack open

 

htmlentities($_SERVER['PHP_SELF']) can avoid attacks but looks ugly

 

filter the variable

filter_var($_SERVER['PHP_SELF'], FILTER_SANITIZE_STRING);

 

it's best to just input the forms name or leave it blank

 

It's also important to sanitize the POST,GET,REQUEST,SERVER and so on values, never trust user input.

 

Before any mysql statement should sanitize them

http://php.net/manual/en/function.mysql-real-escape-string.php

 

If it always a number, make sure they use a number

http://www.php.net/manual/en/function.is-numeric.php

 

[Xtremer360]

That's a good point.  Thanks for my correction.

[Eiolon]

Thanks for the info.

 

It's interesting to see that I should also use mysql_real_escape_string when I just SELECT data.  I had only been using it when inserting or updating the data.

[Xtremer360]

The reason for that I believe is just in case there was any input at any time that got into the db that you didn't know about that could be harmful you want to go ahead and escape it anyway.