I am using line below in my php blog site, how is that danger ? I have register_global off and magic_quotes_gpc() also off and using php 5.2. Can anyone please enlight me, or give alternative to this ? I did try $_SERVER['php_self'] but that didn't work.
<form action="<?php echo $SCRIPT_NAME. "?id=" . $validentry; ?>" method="post">
分享 SCRIPT_NAME and PHP_SELF mostly contain the same value. Both contain the webserver-normalized version of REQUEST_URI (that is, relative path parts removed).
Your actual security issue here is not using htmlspecialchars(). And as said before, just use the correct key case to output PHP_SELF:
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8") . $validentry ...
