0

Is is neccessary to use the following?

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>

Why not <form method="post" action=""> ?

Can someone hack action="" ?

kero
10.7k5 gold badges44 silver badges52 bronze badges
asked Nov 4, 2015 at 22:18
4
  • 1
    Who says you shouldn't use action=""? Commented Nov 4, 2015 at 22:18
  • 1
    Both do the same thing. If htmlspecialchars() were omitted, then that would be a different ballgame. Commented Nov 4, 2015 at 22:19
  • 1
    Why not <form method="post">? You don't have to specify an action at all, not even action="". Commented Nov 4, 2015 at 22:23
  • What about XSS cross site scripting? Can someone put code in your action="" ? Commented Nov 5, 2015 at 2:43

1 Answer 1

1

The action attribute isn't required in this case, only if you were to keep the method's script within another file for example.

I'm not sure what you mean by "Can someone hack action=""" but this has nothing to do with things being hacked, as long as you validate the user input of the post and such you should be fine.

answered Nov 4, 2015 at 22:27
Sign up to request clarification or add additional context in comments.

1 Comment

I see from some sites that If "PHP_SELF" is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute. See this link: html-form-guide.com/php-form/php-form-action-self.html

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.