The $_SERVER["PHP_SELF"] variable can be used by hackers!
If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
Assume we have the following form in a page named "test_form.php":
<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
Now, if a user enters the normal URL in the address bar like "http://www.edureka.com/test_form.php", the above code will be translated to:
<form method="post" action="test_form.php">
However, consider that a user enters the following URL in the address bar:
In this case, the above code will be translated to:
<form method="post" action="test_form.php/"><script>alert('hacked')</script>
If you want to know these vulnerability can be discard- PHP Form Security