Confuse about actions

Hello there, I’m a new in php, I’m reviewing the right and safe use of actions = “somewhere.php” in forms.
Which is more safe? action = ''somewhere.php" or action=" "? or when to use the two.

I’ve got an overinformation that clouds my mind.
Thank you in advance.

It is not so much about where you send the data but it is what you do with the data that is of most importance.

  • If you are handeling sensetive information then you should be using a secure connection (SSL).
  • If you are handeling information that is going to be storing in a database then you need to consider SQL injection attacks.
  • If the information is going to be presented on a page then you need to consider cross site scripting attacks (XSS).

Unless I have miss understood your question.

SSL sounds new to me, but what if I will consider the three? what should I use?

Sorry, I am not 100% sure what you mean.

sorry for that. As I understand your message, those three are the consideration when to use action self and external actions.
Then my follow-up question is that how can I make my form secure from those attacks? which is more efficient and effective.

Hope I am making myself clear. Thank you for your quick response.

Generally speaking you should always set an action and not leave it up to the browser to decide.
Even if you are posting back to the same page you should tell the browser that.

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

Isn’t there an XSS exploit in using PHP_SELF in form actions?

This does not have anything to do with PHP security.

If you leave action empty, then data from your formular are posted to “the same URL” and you need to process them there.

If you don’t leave it empty, but your write there for example “send_email.php” then data from your formular will be sent there.

a little clear now. Perhaps i need to review next about its security. Thank you.

To keep your database safe, you need to verify that the user inputs to your forms are what you expect. If you are looking for an email address, verify that the entry is an email address. (there are examples on the internet). If you are expecting text in your form, remove everything except text before you put it into your database.

Here is an example for cleaning up a phone number:

$_POST[$tel] = extractNumbers($_POST[$tel]);