In a form on a PHP page, you can use:

In the action attribute of the form. Since echo $_SERVER['PHP_SELF'] does not pass variables for using GET and you have to use "", why would you use that or "#"?

No action attribute means it will call its own self URL.

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" ...>

OR

<form action="#" ...>

OR

<form action="" ...>

OR

<form ...>

I'm asking because it took me some time to figure out that the variables are not passed with $_SERVER['PHP_SELF']

Thanks.

php form 
3 Answers

The action attribute will default to the current URL. 

It is the most reliable and easiest way to say "submit the form to the same place it came from".

There is no reason to use $_SERVER['PHP_SELF'], and # doesn't submit the form at all (unless there is a submit event handler attached that handles the submission).

answered Dec 02


Hey there! OK, you're making me very nervous having me get rid of the print completely and replace it with the echo but I'll try eeek, lol.

Looks like that helped a little. Now I'm getting the same error but for this line. The first email variable that the form is supposed to send to.

$mailto = 'anemailaddress'

Is it trying to tell me, I'm supposed to be putting my $_POST['anemailaddress'] directly into the form itself instead of like how I have it like this?

$mailto = 'anemailaddress'

If so, how, like this?
<input style='type='text' name='$_POST['anemailaddress']' size=15>

Or does the error mean something else.

answered Dec 30


PHP $_SERVER variables are not safe for use in forms, links

A common security mistake I see WordPress plugin authors (and PHP coders in general) make is using $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] as the action of a form or part of an anchor’s href attribute. This is not safe to do, and opens your code up to XSS (cross-site scripting) exploits.

Common example:

<form action="<?php echo $_SERVER['PHP_SELF']; ?>">

Another example:

<a href="<?php echo $_SERVER['PHP_SELF']' ?>?foo=bar">link title</a>

Here are my two rules regarding $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] in forms:

  • Do not use them
  • If you use one of them, escape it with esc_url()

Most uses of $_SERVER['PHP_SELF'] and $_SERVER['REQUEST_URI'] are in HTML forms. If you want the action attribute to point to the current URL, leave it blank. URI references that are blank point to the current resource.

<form action="">

If you do want to specify the action (and there are good reasons for wanting to do that, such as stripping the query string from the current URL), you must run it through esc_url().

<form action="<?php echo esc_url( $_SERVER['PHP_SELF'] ); ?>">

The same applies to links… run the href attribute through esc_url().

<a href="<?php echo esc_url( $_SERVER['PHP_SELF'] . '?foo=bar' ); ?>">link title</a>

A quick search through the WordPress Plugin Directory showed that this problem is far too common.

Updates:

Examples of URLs that could exploit this for double-quoted actions:

script.php/"%20onmouseover='alert(document.cookie)'

And single-quoted actions:

script.php/'%20onmouseover='alert(document.cookie)'

No, just using a plain old htmlentities() wrapper is not going to help! That’s still vulnerable to XSS in certain situations. If you’re not using WordPress, you should copy the WordPress escaping functions (just remove the apply_filters() portions).

If you are using the base tag, Safari will apply that base to the blank action attribute. So if you use the base tag (I never do), a blank action isn’t going to be for you. Use what you’ve been using, but escape it.

Lester Chan has a handy snippet for the form action of WordPress plugin settings pages:

<form action="<?php echo admin_url( 'admin.php?page=' . plugin_basename( __FILE__ ) ); ?>">

admin_url() takes care of escaping for you, and is an easy way to create a full WP admin URL from a wp-admin-relative URL.

answered Dec 30


Login and Submit Your Answer
Browse other questions tagged  php  form or ask your own question.