Why you should not use $_SERVER[‘REQUEST_URI’] and $_SERVER[‘PHP_SELF’]

Well, this might be a sad news for those who normally use 🙁 I once was a fan to it and use it quite well in form actions but realized that form actions can be null if its the same page. So i choose the easier one 😀

$_SERVER[‘REQUEST_URI’] and $_SERVER[‘PHP_SELF’] are from headers not from server, lately I thought it was from the server but read some docs about it and found out its not from server and its vulnerable to XSS attacks.

How is $_SERVER[‘REQUEST_URI’] and $_SERVER[‘PHP_SELF’]  XSS Vulnerable?

Quite well, you might think how can someone inject XSS script into the address bar and it affects those global variables right? 🙂 Now watch this:

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
	<input type="text" name="test" />

Add this to your address bar, assuming the file is form.php:


Now you’ve come to notice that this alters the form action to the user’s choice which means your project is XSS vulnerable 🙂 I now suggest you use $_SERVER[‘SCRIPT_NAME’] which is from server. 🙂