$_server[php_self]

[batstanggt]

Which is more secure htmlentities($_server[php_self] ) or just having the action attribute of a form link to an external .php page?

-SB

[phpSensei]

It doesn't really matter, if either page has a security hole, it doesn't matter what page it sends its information to.

[batstanggt]

True. But doesnt having the whole script on one single page basically just put it all out there on a silver platter lol?

-SB

[phpSensei]

Hi there,

 

PHP runs on the server side, so the user can't see the code, so I don't see a problem here.

[MasterACE14]

better off having the action field empty ''  instead of using $_SERVER['PHP_SELF'];

 

why not to use PHP_SELF

[phpSensei]

better off having the action field empty ''  instead of using $_SERVER['PHP_SELF'];

 

why not to use PHP_SELF

 

The PHP_SELF element can in fact be altered by the user to include any kind of malicious XSS code he/she desires

 

What an exagerated statement...

 

You can simply filter the element.

[MasterACE14]

don't even need it at all is the point. Save some processing time.

[Alex]

better off having the action field empty ''  instead of using $_SERVER['PHP_SELF'];

 

why not to use PHP_SELF

 

The PHP_SELF element can in fact be altered by the user to include any kind of malicious XSS code he/she desires

 

What an exagerated statement...

 

You can simply filter the element.

 

That's not exaggerated at all. It can be altered to include any malicious XSS code. Whether or not you sanitize it is a irrelevant, the statement says nothing about that. The whole point of it anyway is that people don't sanitize it and use it on form actions. Just leave it blank.