I have a php form and each of these codes work for the action part of the form:

action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>"

<form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>"

The difference is at the Start of the form and near the end of the form. Both codes allow me to submit the form.

Which is correct and more secure?

P.S
The htmlspecialchars is ment to protect me from some kind of XSS attack.

The first isn't valid HTML and the PHP isn't finished with a semicolon, strictly speaking.

Go with the second, although I should point out that htmlspecialchars isn't complete protection. ;)

I don't believe it matters where you put the <form action="..."> portion. You could do <form method="post" action="..."> or <form action="..." method="post">


Also by the way I don't believe the htmlspecialchars is necessary for the PHP_SELF. That's populated by PHP it's where the script execution came from previously. I'd compare that to doing it on $_SERVER[SERVER_NAME] which is just the server name. Unless I'm mistaken

Ok can someone tell me if this Form is valid PHP and valid HTML and secure:


<form id="form1" name="form1" method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>"
<table>
<tr>
<td>User : </td>
<td><input name="username" type="text" id="username" /></td>
</tr>
<tr>
<td>Password : </td>
<td><input name="password" type="password" id="password" /></td>
</tr>
</table>
<input name="Login" type="submit" id="Login" value="Login" />
</form>


If it's not, can you improve it for me and tell me what changes you made?

Hi,

As I said in my previous post, htmlspecialchars won't fully cover you, but I guess it's a moot point since as TonyB pointed out, there isn't really any reason to be using it on PHP_SELF since it's not user input.

The form will work fine though, yes. :)

htmlspecialchars won't fully cover you

Against what, exactly? That's the second time you've mentioned this, but you've never stated what you feel is the deficiency in the htmlspecialchars() function...

@ryan14

<form id="form1" name="form1" method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>"

Check it out...you're missing the closing '>' for your form tag.

<form id="form1" name="form1" method="post"
action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>">

Against what, exactly? That's the second time you've mentioned this, but you've never stated what you feel is the deficiency in the htmlspecialchars() function...


I was pointing out that htmlspecialchars() isn't a fool proof way of protecting against (UTF 7) XSS attacks, since he mentioned them. I don't know anything about his charset though. ;)

I was pointing out that htmlspecialchars() isn't a fool proof way of protecting against (UTF 7) XSS attacks, since he mentioned them. I don't know anything about his charset though. ;)

Gotcha...overlooked the OP's postscript initially...