Difference between form action=$_SERVER['PHP_SELF']; and action=samefile.php

system · November 20, 2006, 4:11pm

Hi

Can someone tell me the difference between using in a form:

and

Thanks

Skookum · November 20, 2006, 4:16pm

"PHP.Net":

‘PHP_SELF’

The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar. The __FILE__ constant contains the full path and filename of the current (i.e. included) file.

The difference is that one is hard coded and the other can be dynamic. When you hard code it in it will always go to that page, but when you use the PHP_SELF it will always go to the page that it thinks it is at.

Example:
http://example.com/Kungfu.php
<form action=“<?php $_SERVER[‘PHP_SELF’]; ?>”>
The action would equal “Kungfu.php”

http://example.com/Smilies.php
<form action=“<?php $_SERVER[‘PHP_SELF’]; ?>”>
The action would equal “Smilies.php”

It is the same code, but it can produce difference results depending upon the URL.

Kailash_Badu · November 20, 2006, 4:19pm

<form action=“<?php $_SERVER[‘PHP_SELF’]; ?>”> always submits the form to the page that contains this form.

<form action=“samefile.php”> submits the form to the page called samefile.php which may or may not be the current file.

Basically, if you use the former method you can change the filename later without having to change action property. That makes for a more flexible, portable code.

Kailash_Badu · November 20, 2006, 4:20pm

i posted late. apologies.

system · November 20, 2006, 4:36pm

Thanks both.
One thing though: does $_SERVER[‘PHP_SELF’]; load the same file WITH query strings set in the address?

Say the address currently is contact.php?message=hello. You are sending a feild called “message” by $_POST, and you put in the message “bye” will it load the file as…

a) contact.php?message=hello&message=bye

or

b) contact.php?message=bye

Kailash_Badu · November 20, 2006, 4:40pm

just contact.php

Skookum · November 20, 2006, 4:41pm

Nope it will not pull the GET information from the URL it will only pull the file.

Example:
http://www.example.com/Yay.php?User=‘Legend’
would be
Yay.php

stereofrog · November 20, 2006, 4:43pm

Please note that PHP_SELF is tainted, you should always escape it.


WRONG!
<form action="<?php echo $_SERVER['PHP_SELF']; ?>">

correct
<form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">

Details: http://blog.phpdoc.info/archives/13-guid.html

Kailash_Badu · November 20, 2006, 4:47pm

Say the address currently is contact.php?message=hello. You are sending a feild called “message” by $_POST, and you put in the message “bye” will it load the file as…

a) contact.php?message=hello&message=bye

or

b) contact.php?message=bye
Oh yes. i got your point. The file will load as ’ contact.php?message=bye ’ but PHP_SELF still represents the current filename without query strings.