hi guys

i have a small question about < form action='' >

what is difference between

<form  action='$SERVER['PHP_SELF'] >


<form  action='<? echo htmlspecialchars($_SERVER['PHP_SELF'); ?> ' >

if this way

action='<? echo htmlspecialchars($_SERVER['PHP_SELF'); ?> '

have benefit in security !

i wait any idea

Thanks a lot

Edited by Yemen Coder: n/a

6 Years
Discussion Span
Last Post by Yemen Coder

Its not for security
its because many of the servers between the user and your server may only display a limited character set, and a restricive part of that.
other characters in file names, / [space] etc
those other characters may cause the request to be lost in its journey between user and server
htmlspecialchars causes those characters to be replaced by the escape code of the character, and the request passes all the dumb servers in the path and is accepted
here is a link to the operation of htmlspecialchars, I LIKE the animated bit

Edited by almostbob: n/a


AlmostBob's URL to the PHP site is fine, but his description is a bit off.
Slashes and spaces are fine. It's nothing to do with the character set but in fact to do with characters reserved for HTML code.

Imagine, for example that PHP_SELF contained a greater-than symbol like this: >

Then the rendered code without htmlspecialchars would be something like this:

<form action="aaaaa>bbbbb">

And that would render the HTML invalid because the end of the form tag is now before the bbbb's.

htmlspecialchars changes a few HTML-reserved characters into coded alternatives. The ones affected are:
double quote
single quote
greater-than symbol
less-than symbol

So it's nothing to do with characters being lost in their journey between the browser and the web server, but more to do about generating valid HTML so that the browser understands it.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.