* Richard Davey <rich@xxxxxxxxxxxxxxxx>:
> Hello Ross,
>
> Thursday, July 14, 2005, 11:11:25 AM, you wrote:
>
> R> Just a quick thing that is bugging me. In some of my older
> R> textbooks a form is returned to the same page by using
>
> R> echo $PHP_SELF no just $PHP_SELF
>
> R> is this just used in older versions of php?? Does the it make a
> R> difference what one is used?
>
> PHP_SELF is part of the $_SERVER super global, you should really
> access it like this:
>
> $_SERVER['PHP_SELF']
>
> To answer your question though, it's just a variable - if you want to
> output it into your form action then you can do either:
>
> <? echo $_SERVER['PHP_SELF'] ?> or <?=$_SERVER['PHP_SELF']?>
>
> Either would work.
Actually, to be truly portable, it should be:
<?php echo $_SERVER['PHP_SELF']; ?>
Not all hosts have short tags enabled in their PHP installations.
Additionally, you have to be careful with PHP_SELF. On web servers that
allow PATH_INFO -- i.e., arguments to the script in the form of path
information, like '/path/to/script.php/more/path/info -- PHP_SELF will
contain the path to the script PLUS the contents of
$_SERVER['PATH_INFO'] -- which leaves PHP_SELF vulnerable to cross-site
scripting attacks. For some discussion on this, see:
http://blog.phpdoc.info/archives/13-XSS-Woes.html
If you're using Apache, the safer bet is to use $_SERVER['SCRIPT_NAME'];
otherwise, use PHP_SELF, but filter it to exclude the path information.
--
Matthew Weier O'Phinney
Zend Certified Engineer
http://weierophinney.net/matthew/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
