I write
http://www.mysite.com/form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
on URL. Now I press enter and the URL is:
http://www.mysite.com/form.php/"><script>alert('hacked')</script>
Now I post the form. When using $_SERVER['PHP_SELF']
, htmlspecialchars
works, with REQUEST_URI
not. Why?
When and why should I use action=""
or action=<?=$_SERVER['PHP_SELF']?>
or action=<?=$_SERVER['REQUEST_URI']?>
?
Here the result of the posts:
$_SERVER['REQUEST_URI']:
/form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
htmlspecialchars($_SERVER['REQUEST_URI']):
/form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
$_SERVER['PHP_SELF']:
/form.php/"><script>alert('hacked')</script>
htmlspecialchars($_SERVER['REQUEST_URI']):
/form.php/"><script>alert('hacked')</script>
I think, the second should also be as the last...?