Using PHP_SELF in the action field of a form

In this article shows the usage of PHP_SELF variable and how to avoid PHP_SELF exploits.

What is PHP_SELF variable?

PHP_SELF is a variable that returns the current script being executed. This variable returns the name and path of the current file (from the root folder). You can use this variable in the action field of the FORM. There are also certain exploits that you need to be aware of. We shall discuss all these points in this article.

We will now see some examples.
echo $_SERVER['PHP_SELF'];

a) Suppose your php file is located at the address:
http://www.yourserver.com/form-action.php

In this case, PHP_SELF will contain:
"/form-action.php"

b) Suppose your php file is located at the address:
http://www.yourserver.com/dir1/form-action.php

For this URL, PHP_SELF will be :
"/dir1/form-action.php"

Using the PHP_SELF variable in the action field of the form

A common use of PHP_SELF variable is in the action field of the <form> tag. The action field of the FORM instructs where to submit the form data when the user presses the “submit” button. It is common to have the same PHP page as the handler for the form as well.

However, if you provide the name of the file in the action field, in case you happened to rename the file, you need to update the action field as well; or your forms will stop working.

Using PHP_SELF variable you can write more generic code which can be used on any page and you do not need to edit the action field.

Consider, you have a file called form-action.php and want to load the same page after the form is submitted. The usual form code will be:

<form  method="post" action="form-action.php" >

We can use the PHP_SELF variable instead of “form-action.php”. The code becomes:

<form name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" >

The complete code of “form-action.php”

Here is the combined code, that contains both the form and the PHP script.

<?php
if(isset($_POST['submit'])) 
{ 
    $name = $_POST['name'];
    echo "User Has submitted the form and entered this name : <b> $name </b>";
    echo "<br>You can use the following form again to enter a new name."; 
}
?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
   <input type="text" name="name"><br>
   <input type="submit" name="submit" value="Submit Form"><br>
</form>

This PHP code is above the HTML part and will be executed first. The first line of code is checking if the form is submitted or not. The name of the submit button is “submit”. When the submit button is pressed the $_POST['submit'] will be set and the IF condition will become true. In this case, we are showing the name entered by the user.

If the form is not submitted the IF condition will be FALSE as there will be no values in $_POST['submit'] and PHP code will not be executed. In this case, only the form will be shown.

What are PHP_SELF exploits and how to avoid them

The PHP_SELF variable is used to get the name and path of the current file but it can be used by the hackers too. If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute.

See below for an example:

<form name="test" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

Now, if a user has entered the normal URL in the address bar like
http://www.yourdomain.com/form-action.php
the above code will be translated as:

<form name="test" action="form-action.php" method="post">

This is the normal case.

Now consider that the user has called this script by entering the following URL in the browser’s address bar:

http://www.yourdomain.com/form-action.php/%22%3E%3Cscript%3Ealert('xss')%3C
/script%3E%3Cfoo%22

In this case, after PHP processing the code becomes:

<form name="test" method="post" action="form-action.php"/>
<script>alert('xss')</script><foo"">

You can see that this code has added a script tag and an alert command. When this page is be loaded, user will see an alert box. This is just a simple example how the PHP_SELF variable can be exploited.

Any JavaScript code can be added between the “script” tag. <script>....HERE....</script>. A hacker can link to a JavaScript file that may be located on another server. That JavaScript file can hold the malicious code that can alter the global variables and can also submit the form to another address to capture the user data, for example.

How to Avoid the PHP_SELF exploits

PHP_SELF exploits can be avoided by using the htmlentities() function. For example, the form code should be like this to avoid the PHP_SELF exploits:

<form name="test" action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post">

The htmlentities() function encodes the HTML entities. Now if the user tries to exploit the PHP_SELF variable, the attempt will fail and the result of entering malicious code in URL will result in the following output:

<form name="test" method="post" 
action="form-action.php/&quot;&gt;&lt;script&gt;alert('xss')&
lt;/script&gt;&lt;foo">

As you can see, the script part is now ‘sanitized’.

So don’t forget to convert every occurrence of "$_SERVER['PHP_SELF']" into "htmlentities($_SERVER['PHP_SELF'])" throughout your script.

NOTE:
Some PHP servers are configured to solve this issue and they automatically do this conversion.But, why take risk? make it a habit to use htmlentities() with PHP_SELF.

Comments on this entry are closed.

  • If the goal is to submit to the page’s own URL, why not just leave the action attribute blank?  It accomplishes the same thing as inserting PHP_SELF, but without the XSS risk.
     

    • Just wanted to add the same thing.
      PHP_SELF does not submit to normal GET (?foo etc.) blank attribute does.

  • I think you ment

    <?php 
    if(isset($_POST[‘name’])) 

        $name = $_POST[‘name’]; 
        echo “User Has submitted the form and entered this name : <b> $name </b>”; 
        echo “<br>You can use the following form again to enter a new name.”; 

    ?> 
    <form method=”post” action=”<?php echo $_SERVER[‘PHP_SELF’]; ?>”> 
       <input type=”text” name=”name”><br> 
       <input type=”submit” name=”submit” value=”Submit Form”><br> 

    </form>

    **if(isset($_POST[‘name’]))
    not if(isset($_POST['submit']))

    • Either way works as the submit button has the name=”submit”. In fact most forms have more than 1 input and might be best to run the script when the submit button is pressed.
       
      I would also like to add leaving the action attribute blank works just as well, has no security risks other than those related to forms in general, and is in fact safer than server variables in forms. W3C says its a “required” attribute but says nothing about a required value.
       
      1 more thing. using the GET method you can simply start with a question mark if posting to the same page. action=”?var=x&amp;var2=y”

      • href=€?var=x&amp;var2=y€ rather using links. which can then be retrieved with $_GET

  • it`s great way for me… thanks so much

  • Thanks for the tut.
    Great info, just one thing, the background looks cool, but caused a little strain on my eyes with focus on text.
    Thanks again

  • “If the goal is to submit to the page€™s own URL, why not just leave the action attribute blank?  It accomplishes the same thing as inserting PHP_SELF, but without the XSS risk.”
     
    What about if your php file is one the server but you form is just part of a HTML Iframe on Facebook? if you leave the attribute blank then there is no direction for the HTML. How do I make the form submit to the same page in this situation?
    Thanks is advance

    • The problem is not leaving the action property blank. The problem is Facebook using an <iframe> in the first place.

  • I agree that leaving the action=”” blank also results in the form being submitted to whence it came from

  • isnt leaving the action variable blank against web standards?

    • I don’t believe so. As far as i know anyway.

  • thanx. ur article cleared my doubt..great …

  • Your article was quite an interesting read. 🙂

  • Hi ,
    I hope i can get solution for my doubt ,
    I want to pass form value to many pages with out redirecting to another page,
    so how can i use different form action , when i use different form action it redirect when submitting values
    i just want to pass value to many page .
    Thanks in advance .

  • Does anyone know how to use this, but specify with an anchor or something else where the user is taken on the page after they hit submit?…To be specific, I have a one page site and the contact form is in the footer, so far when I hit submit it takes me back to the top of the page, any way to have it stay at the bottom?
     
    Thanks in advance! 🙂

  • The safest way to clean PHP_SELF is as follows:
    $PHP_SELF= isset($_SERVER[‘PHP_SELF’]) ? htmlentities(strip_tags($_SERVER[‘PHP_SELF’],”), ENT_QUOTES, ‘UTF-8’) : ”;
    This was lifted from apc.php, which is part of the PECL APC package.

  • Safest way is to stop using $SERVER[‘PHP_SELF’] and start using $_SERVER[‘SCRIPT_FILENAME’].

    letst say browser adress link was /index.php/xss

    now check output of this:
    <? echo $_SERVER[‘SCRIPT_FILENAME’];?>
    <br>
    <? echo $_SERVER[‘PHP_SELF’];?>
    <br>
    that what we have:
    /index.php
    /xss

    if you need to detect current dir of script you can use this

    <? echo substr($_SERVER[‘SCRIPT_FILENAME’], 0, strlen($_SERVER[‘SCRIPT_FILENAME’]) – strlen(strrchr($_SERVER[‘SCRIPT_FILENAME’], “//”)));?>

    or you can use better and shorter version
    <? echo dirname($_SERVER[‘SCRIPT_FILENAME’]);?>

    No XSS at all)

    • lol

  • @Voodooman
    You probably mean $_SERVER[‘SCRIPT_NAME’]
    And yes that saves calling an extra function.

  • Great and useful article and very useful comments as well

  • It was very useful for me
    thanks

  • Thanks a lot. This is very much informative article. I have tried it, it works in an easy way. Thanks again.

  • Great Tutorial . It rocks the simplicity of the tutorial is fantastic

  • Thank you so much. i was looking something like this for my new website.

  • Here is a simple method to post a form to same page

    <form action="” method=”post”>