[nycphp-talk] Form action submission trickery
Dan Cech
dcech at phpwerx.net
Fri Nov 30 12:25:36 EST 2007
Cliff Hirsch wrote:
> I like to use <form action =²² as a handy (ok, lazy) way to submit to ³self²
> and capture the current URI, including query string. It¹s nice to have this
> info for later processing for idempotent stuff, redirects, etc.
>
> But, my question ‹ can I count on it?
>
> The W3C says:
>
> action = uri [CT]
> This attribute specifies a form processing agent. User agent behavior
> for a value other than an HTTP URI is undefined.
>
> I translate this to mean action = ³² is not recommended, although I have
> never experienced a problem in IE or FireFox. From what I have seen, if the
> form method is Œget¹, a duplicate value in the query string will be
> overridden by the form input element. And for posts, php nicely fills both
> the post and get superglobals.
>
> So can I count of this behavior?
Technically using an empty string for the form action isn't correct,
however you could probably achieve the same effect using:
print '<form method="post" action="?'.
htmlspecialchars(http_build_query($_GET)) .'">
For the record, using PHP_SELF or other URI-related entries in $_SERVER
should be approached with extreme caution, as you never know what you're
likely to find there.
HTH,
Dan
More information about the talk
mailing list