NYCPHP Meetup

NYPHP.org

[nycphp-talk] Form action submission trickery

Brian D. brian at realm3.com
Fri Nov 30 12:08:29 EST 2007


I don't know the answer of whether or not it's reliable, but could you
use $_SERVER['PHP_SELF']?

(Which leads to the question, is PHP_SELF safe to use, or should you escape it?)

- B.

On Nov 30, 2007 9:54 AM, Cliff Hirsch <cliff at pinestream.com> wrote:
>
>  I like to use <form action ="" as a handy (ok, lazy) way to submit to
> "self" and capture the current URI, including query string. It's nice to
> have this info for later processing for idempotent stuff, redirects, etc.
>
>  But, my question — can I count on it?
>
>  The W3C says:
>
>  action = uri [CT]
>      This attribute specifies a form processing agent. User agent behavior
> for a value other than an HTTP URI is undefined.
>
>  I translate this to mean action = "" is not recommended, although I have
> never experienced a problem in IE or FireFox. From what I have seen, if the
> form method is 'get', a duplicate value in the query string will be
> overridden by the form input element. And for posts, php nicely fills both
> the post and get superglobals.
>
>  So can I count of this behavior?
>
>  Cliff
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>



-- 
realm3 web applications [realm3.com]
freelance consulting, application development
(423) 506-0349



More information about the talk mailing list