Page 1 of 1
[Solved]call to $_SERVER['PHP_SELF']; error
Posted: Mon Dec 04, 2006 10:42 am
by evilchris2003
Hi im trying to get an update user details form to post to itself using
Code: Select all
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
which works on my registration page but on this page it posts and mozilla comes up with the cannot find server error
the URL in the address bar is
http://updateacct.php/
I know I can use the file name is there any advantage to using the $_SERVER way ?
php_self
Posted: Mon Dec 04, 2006 10:48 am
by timclaason
What if you did:
Code: Select all
<form action="<?=$PHP_SELF?>" method="post">
I find the $_SERVER[] and $PHP_SELF equivalent. Not sure if anyone is categorically opposed to this, though.
This will only work if you're on >=4.3.0.
I find it better to use the $_SERVER[] variables instead of pagenames because your page name may change or you may end up moving code to different pages.
I do run into trouble with $_SERVER variables when calling methods within a class, so if I'm doing a HTML form in the class (which is something I try to avoid), I'll use the pagename (unless I feel whacky enough to add another argument to the method, which defines the pagename). Sorry for the tangent, there.
Posted: Mon Dec 04, 2006 10:52 am
by evilchris2003
that works thanks
fortunatly my host is on 4.4.2

Posted: Mon Dec 04, 2006 12:45 pm
by feyd
Just so you know, PHP_SELF contains user submitted input, therefore can be used to inject code into any page that uses it. In this particular case you could use "#" instead for the exact same effect without the security hole.
Posted: Mon Dec 04, 2006 12:49 pm
by evilchris2003
thanks feyd ill switch it
Re: php_self
Posted: Mon Dec 04, 2006 7:02 pm
by RobertGonzalez
timclaason wrote:What if you did:
Code: Select all
<form action="<?=$PHP_SELF?>" method="post">
I find the $_SERVER[] and $PHP_SELF equivalent. Not sure if anyone is categorically opposed to this, though.
This will only work if you're on >=4.3.0.
I find it better to use the $_SERVER[] variables instead of pagenames because your page name may change or you may end up moving code to different pages.
I do run into trouble with $_SERVER variables when calling methods within a class, so if I'm doing a HTML form in the class (which is something I try to avoid), I'll use the pagename (unless I feel whacky enough to add another argument to the method, which defines the pagename). Sorry for the tangent, there.
Yes, I am categorically opposed to USING $PHP_SELF and <?=$PHP_SELF?> as this implies register_globals is on and that short_tags are also on. This will invariable cause your apps to croak in future versions of PHP that will not support register globals or short tags.
A very good way of posting back is to use
basename($_SERVER['SCRIPT_FILENAME']).