on your page: http://www.w3schools.com/php/php_form_validation.asp you discuss preventing exploits by using htmlspecialchars.
When I build forms I avoid entering the page name at all and simply use action="?"
is this some how wrong? it works well for me