NotionCommotion Posted December 11, 2014 Share Posted December 11, 2014 I've heard multiple recommendations when a form needs to post to itself. Some say use PHP_SELF, others say leave it blank (even though it doesn't validate), etc. Please provide the best practice, and reasons why. Thank you echo("<form method='post' action='{$_SERVER['PHP_SELF']}'>"); echo("<form method='post' action=''>"); Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted December 11, 2014 Share Posted December 11, 2014 Using the raw value from PHP_SELF makes the form susceptible to XSS attacks. More information can be found here: http://seancoates.com/blogs/xss-woes To avoid this and still have the form direct the information back to itself, you can leave the action attribute blank. I tried validating a form with the action attribute blank and it passed. Have you tried validating your form here: http://validator.w3.org/ If you don't want to leave the action attribute blank, you could also use your script's name. For example: <form method="post" action="my-form-script.php"> Quote Link to comment Share on other sites More sharing options...
CroNiX Posted December 11, 2014 Share Posted December 11, 2014 If you leave the form action totally off (not just blank) it will also submit to itself. <form method="post"> Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted December 11, 2014 Author Share Posted December 11, 2014 To avoid this and still have the form direct the information back to itself, you can leave the action attribute blank. I tried validating a form with the action attribute blank and it passed. Have you tried validating your form here:http://validator.w3.org/ Yes, this is what I get. You get something different? Line 7, Column 38: Bad value for attribute action on element form: Must be non-empty. <form method='post' action=''> Syntax of URL: Any URL. For example: /hello, #canvas, or http://example.org/. Characters should be represented in NFC and spaces should be escaped as %20. <!DOCTYPE html> <html> <head> <title>xxx</title> </head> <body> <form method='post' action=''> <input type='submit' value='Save'> </form> </body> </html> Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted December 11, 2014 Author Share Posted December 11, 2014 (edited) If you leave the form action totally off (not just blank) it will also submit to itself. <form method="post"> And it validates Edited December 11, 2014 by NotionCommotion Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted December 11, 2014 Author Share Posted December 11, 2014 So, it the best approach to not include the action attribute? Quote Link to comment Share on other sites More sharing options...
Tom8001 Posted December 11, 2014 Share Posted December 11, 2014 I usually just do <html> <head><title>#</title></head> <body> <div id="form"> <form action='' method='POST'> <td><b>Text:</b><input type='text'></td> </form> </div> </body> </html> Idk something like that i have always left it blank unless you want another page to process it & i have never had a problem. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted December 11, 2014 Share Posted December 11, 2014 And it validates Hmm...I guess it's a DOCTYPE thing. I mostly use the XHTML DOCTYPE and the empty action attribute validates. Leaving the attribute off altogether, however, doesn't validate. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.