When I echo both, I would get this output


While first I was using PHP_SELF but suddenly I read some users comments and they prefer for the SCRIPT_FILENAME, As i want to use in form and to avoid xss and such codes. Which one should you prefer?

if you think about the action=... part of your form, just let it empty.

As you can tell from the output, the second option will never work, as it simply gives you wrong path.

Better yet, as it was noted above, simply omit action parameter in the form tag, to make your form sent to the same URL.

Or you could just do this -

$path_parts = pathinfo($phpSelf);
$basename = $path_parts['basename']; // Use this variable for action='':
$pageName = ucfirst($path_parts['filename']);

if you’re concerned about safety…


$sn = basename($_SERVER['SCRIPT_NAME']);
// Or
$sn = basename(__FILE__);

Anyone know if $_SERVER['SCRIPT_NAME'] should be sanitized too before use? I have been using it in my apps. Atleast Acunetix and Nessus scans did not report any XSS vulnerabilities if I remember correctly.

Obviously, your code will never work for the OP.

Nor $_SERVER['SCRIPT_NAME'] should be ever used in any front-end context, where REQUEST_URI is the only reliable address source

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.