PHP Form validation related

I was learning PHP with w3schools.com where they used this code for create a html form:

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
Name : <nput type="text" name="name">
<br> <br>
E-mail : <input type="text" name="email">
<br><br>
Website : <input type="text" name="website">
<br> <br>
Comment: <textarea name="comment" rows="2" cols="5"> </textarea>
<br> <br>
Gender : 
<input type="radio" name="gender" value="female"> Female
<input type="radio" name="gender" value="male"> Male
<br> <br>
<input type="submit" name="submit" value="Submit">
</form>

I got most of them code easily but in the first line they used <?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>

for passing data to self php file. But if there is a matter just to send data to self php file so why they used echo before the htmlspecialchars I couldn’t get it clearly?

Without echo, nothing will be put into the form action :slight_smile: . Nothing will get put into the HTML. Without echo, nothing gets put on the page.

The code would look like this.

<form action="">

1 Like

Probably should be this:

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="post">

Using htmlspecialchars there makes no sense - the form hasn’t even reached the input processing yet and that code is running an outputting function.

Yet another example to add to the thousands of others of bad and outdated code from that site.

2 Likes

The reason for using htmlspecialchars there is to prevent the possibility of a Cross Site Scripting (XSS) attack, as $_SERVER[“PHP_SELF”] can be manipulated by the user. See this article for more detail.

1 Like

It still can be even with that code there. Bypassing the htmlspecialchars is no harder to do than manipulating the$_SERVER[‘PHP_SELF’]

Interesting, can you show an example of how that could be done?

Plus, even if we were confident that the URL value was safe (which we’re not), we would still want to escape in order to avoid any special characters being misinterpreted. For example:

<a href="http://something.com/?test&lt">test</a>

Browsers will interpret this as:

http://something.com/?test<

Because – and I hope this is obvious – ampersand is a special character in HTML. So yes, using htmlspecialchars makes sense, and you should definitely do it.

The only reason you would ever not want to use htmlspecialchars is if the thing you’re outputting is already pre-rendered, pre-escaped HTML.

Why use a vulnerable field when there is a safe alternative

<form action="<php echo basename(__FILE__)"?>>

or simply hard code the file name

That would probably avoid injection issues, but you should still escape nonetheless. Even file names can contain characters that are special to HTML. Ampersands, quotes, semicolons are all possible. You’re creating a lot of edge case bugs by avoiding htmlspecialchars and you’re not gaining anything for it.

Only if you insist on naming them that way. You avoid that issue if you only use letters and numbers in your file names (plus the dot before the extension).

Why create a problem where you need to escape filenames in HTML by using characters in those filenames that causes the issue in the first place.

I believe it is possible to use either action=“?” or action=“#” and curious to know if there are any complications, conflicts, etc

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.