Unlike our other posts in the blog this one is not a tutorial, but a warning to our less advanced developer readers. Most of the beginner developers use PHP_SELF in forms, like the example below.
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"> <h1>Sanitize your variables!</h1> Username: <input type="text"> Password: <input type="text"> </form>
Some of you might say, yeah…so what`s the big deal. The big deal is that this example is vulnerable to XSS(Cross Site Scripting) attacks. This situation can easily be exploited, by adding
to the url.
<form action="<?php echo htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES); ?>" >