[nycphp-talk] $_SERVER['PHP_SELF'} not working?
Michael Sims
jellicle at gmail.com
Fri Jul 22 12:05:17 EDT 2005
On Thursday 21 July 2005 17:16, Dan Cech wrote:
> You could put:
>
> $_SERVER['PHP_SELF'] = $_SERVER['SCRIPT_NAME'];
>
> into one of your common include files.
Yes. I'm afraid I don't understand this entire thread. Apparently
because of the numerous PHP developer articles recommending it, and
because of the php.net page which for whatever reason lists it first on
the list of predefined variables, people are using PHP_SELF when they
really want SCRIPT_NAME. SCRIPT_NAME solves all the problems mentioned
in this thread - it's just the script name, without any extra garbage
that might be tacked on by the user. PHP_SELF explicitly includes that
extra garbage, so solutions in this thread that involve stripping the
garbage off of PHP_SELF to make it safe are really, really missing the
point - just use SCRIPT_NAME instead. Please don't use FORM ACTION="";
according to the spec, what the browser does with that is undefined, so
even if it works in current browsers, it might not work in future ones.
People can be forgiven for making this mistake -- I'm here holding my
copy of _Learning PHP 5_, and it recommends on page 8 and again on page
86 the use of PHP_SELF for self-referencing forms, ahem -- but it's time
to put it to bed: PHP_SELF is unsafe for any usage where it is echoed
back to the page.
Michael Sims
More information about the talk
mailing list