Written by Leif Stenfeldt. Posted in PHP, Programmering

Do not use any of the suggested versions of PHP_SELF. It is a security nightmare, opening up your PHP to a multitude of possible injection attacks.

What are you trying to achieve? Generate the URL for a form sending to itself? Use action=”” for that – it is a valid approach and will always use the URL for sending the form as for loading.

If you must know the requested script, use $_SERVER[‘SCRIPT_NAME’] instead.

Or $_SERVER[‘PHP_SELF’], not $PHP_SELF. See the docs


Leave a comment