phppup Posted August 7, 2023 Share Posted August 7, 2023 Are these two pieces of code equal in risk? <form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>"> and <form method="post" action=""> Do they perform the same action? Are both vulnerable? Best practice to minimize vulnerability? Will using prepared statements nullify a hacking attempt? I was doing some reading and thought I'd ask the experts here. Quote Link to comment https://forums.phpfreaks.com/topic/317164-a-question-about-_serverphp_self/ Share on other sites More sharing options...
Barand Posted August 7, 2023 Share Posted August 7, 2023 Best to use the third version... <form method="post"> PHP_SELF is vulnerable. Prepared statements protect against SQL injection attacks. There are still other types out there. 1 Quote Link to comment https://forums.phpfreaks.com/topic/317164-a-question-about-_serverphp_self/#findComment-1610976 Share on other sites More sharing options...
phppup Posted August 7, 2023 Author Share Posted August 7, 2023 So <form method="post"> will default to a SELF process that is slightly safer than the aforementioned? Quote Link to comment https://forums.phpfreaks.com/topic/317164-a-question-about-_serverphp_self/#findComment-1610977 Share on other sites More sharing options...
maxxd Posted August 8, 2023 Share Posted August 8, 2023 Omitting the action attribute from a form tag is the current best practice, yes. As far as data/form security goes, it takes more than just that - it takes things like using a nonce and validating and sanitizing any user-submitted data before you do anything with it. Even then, you'll need to use prepared statements for any database interactions that involve said user-submitted data. Quote Link to comment https://forums.phpfreaks.com/topic/317164-a-question-about-_serverphp_self/#findComment-1610980 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.