PHP_SELF is global variable of PHP language. This function returns the name and path of the current file with root folder.Normally this variable are used in FORM tag to submit current script on current page.There are also have some exploits.

Example:
1- Suppose your php file is located at the address:
http://localhost /action.php
In this case result will be
“/action.php”

2- Suppose your php file address has some variable then:

http://localhost/app/view/AppList.php?site=test&page=1

For this URL, PHP_SELF will be :
“/app/view/AppList.php?site= test&page=1”

How to use PHP_SELF on Action field of the form

Normally we are use PHP_SELF variable is in the action field of the “form” tag. The action field of form tells interpreter where file will submit and handle this form.

1

<form method="post" style="width:300px;float:right" action="<?php echo $_SERVER['PHP_SELF'] . '?site= ' . $_REQUEST['site']. '&page=' . $page;?>">

Complete code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

<?php
if(isset($_POST[‘search’]))
{
    echo form submitted";
}
?>

<div class="well form-search">
<form method="post" style="width:300px;float:right" action="<?php echo $_SERVER['PHP_SELF'] . '?site= ' . $_REQUEST['site']. '&page=' . $page;?>">
<input type="text" name="search_key" value="<?php echo $applicationObj->GetKeyword()?>" id="search_key" class="input-medium search-query">
<button type="submit" class="btn" id="search" value="search" name ="search">Search</button></form>
</div>

PHP_SELF Issue:
If user enter the url with action file name then form will submit.
Example:

http://localhost/app/view/AppList.php?search=true

Another way hacker can also execute javascript code.

To avoid this you will use htmlentities PHP function

1

action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>"