[Solved]call to $_SERVER['PHP_SELF']; error

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
evilchris2003
Forum Contributor
Posts: 106
Joined: Sun Nov 12, 2006 6:43 am
Location: Derby, UK

[Solved]call to $_SERVER['PHP_SELF']; error

Post by evilchris2003 »

Hi im trying to get an update user details form to post to itself using

Code: Select all

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
which works on my registration page but on this page it posts and mozilla comes up with the cannot find server error

the URL in the address bar is http://updateacct.php/

I know I can use the file name is there any advantage to using the $_SERVER way ?
Last edited by evilchris2003 on Mon Dec 04, 2006 10:53 am, edited 1 time in total.
timclaason
Forum Commoner
Posts: 77
Joined: Tue Dec 16, 2003 9:06 am
Location: WI

php_self

Post by timclaason »

What if you did:

Code: Select all

<form action="<?=$PHP_SELF?>" method="post">
I find the $_SERVER[] and $PHP_SELF equivalent. Not sure if anyone is categorically opposed to this, though.

This will only work if you're on >=4.3.0.

I find it better to use the $_SERVER[] variables instead of pagenames because your page name may change or you may end up moving code to different pages.

I do run into trouble with $_SERVER variables when calling methods within a class, so if I'm doing a HTML form in the class (which is something I try to avoid), I'll use the pagename (unless I feel whacky enough to add another argument to the method, which defines the pagename). Sorry for the tangent, there.
Last edited by timclaason on Mon Dec 04, 2006 10:53 am, edited 1 time in total.
User avatar
evilchris2003
Forum Contributor
Posts: 106
Joined: Sun Nov 12, 2006 6:43 am
Location: Derby, UK

Post by evilchris2003 »

that works thanks

fortunatly my host is on 4.4.2 :D
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Just so you know, PHP_SELF contains user submitted input, therefore can be used to inject code into any page that uses it. In this particular case you could use "#" instead for the exact same effect without the security hole.
User avatar
evilchris2003
Forum Contributor
Posts: 106
Joined: Sun Nov 12, 2006 6:43 am
Location: Derby, UK

Post by evilchris2003 »

thanks feyd ill switch it
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: php_self

Post by RobertGonzalez »

timclaason wrote:What if you did:

Code: Select all

<form action="<?=$PHP_SELF?>" method="post">
I find the $_SERVER[] and $PHP_SELF equivalent. Not sure if anyone is categorically opposed to this, though.

This will only work if you're on >=4.3.0.

I find it better to use the $_SERVER[] variables instead of pagenames because your page name may change or you may end up moving code to different pages.

I do run into trouble with $_SERVER variables when calling methods within a class, so if I'm doing a HTML form in the class (which is something I try to avoid), I'll use the pagename (unless I feel whacky enough to add another argument to the method, which defines the pagename). Sorry for the tangent, there.
Yes, I am categorically opposed to USING $PHP_SELF and <?=$PHP_SELF?> as this implies register_globals is on and that short_tags are also on. This will invariable cause your apps to croak in future versions of PHP that will not support register globals or short tags.

A very good way of posting back is to use basename($_SERVER['SCRIPT_FILENAME']).
Post Reply