Page 1 of 1

[Solved]call to $_SERVER['PHP_SELF']; error

Posted: Mon Dec 04, 2006 10:42 am
by evilchris2003
Hi im trying to get an update user details form to post to itself using

Code: Select all

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
which works on my registration page but on this page it posts and mozilla comes up with the cannot find server error

the URL in the address bar is http://updateacct.php/

I know I can use the file name is there any advantage to using the $_SERVER way ?

php_self

Posted: Mon Dec 04, 2006 10:48 am
by timclaason
What if you did:

Code: Select all

<form action="<?=$PHP_SELF?>" method="post">
I find the $_SERVER[] and $PHP_SELF equivalent. Not sure if anyone is categorically opposed to this, though.

This will only work if you're on >=4.3.0.

I find it better to use the $_SERVER[] variables instead of pagenames because your page name may change or you may end up moving code to different pages.

I do run into trouble with $_SERVER variables when calling methods within a class, so if I'm doing a HTML form in the class (which is something I try to avoid), I'll use the pagename (unless I feel whacky enough to add another argument to the method, which defines the pagename). Sorry for the tangent, there.

Posted: Mon Dec 04, 2006 10:52 am
by evilchris2003
that works thanks

fortunatly my host is on 4.4.2 :D

Posted: Mon Dec 04, 2006 12:45 pm
by feyd
Just so you know, PHP_SELF contains user submitted input, therefore can be used to inject code into any page that uses it. In this particular case you could use "#" instead for the exact same effect without the security hole.

Posted: Mon Dec 04, 2006 12:49 pm
by evilchris2003
thanks feyd ill switch it

Re: php_self

Posted: Mon Dec 04, 2006 7:02 pm
by RobertGonzalez
timclaason wrote:What if you did:

Code: Select all

<form action="<?=$PHP_SELF?>" method="post">
I find the $_SERVER[] and $PHP_SELF equivalent. Not sure if anyone is categorically opposed to this, though.

This will only work if you're on >=4.3.0.

I find it better to use the $_SERVER[] variables instead of pagenames because your page name may change or you may end up moving code to different pages.

I do run into trouble with $_SERVER variables when calling methods within a class, so if I'm doing a HTML form in the class (which is something I try to avoid), I'll use the pagename (unless I feel whacky enough to add another argument to the method, which defines the pagename). Sorry for the tangent, there.
Yes, I am categorically opposed to USING $PHP_SELF and <?=$PHP_SELF?> as this implies register_globals is on and that short_tags are also on. This will invariable cause your apps to croak in future versions of PHP that will not support register globals or short tags.

A very good way of posting back is to use basename($_SERVER['SCRIPT_FILENAME']).