Jump to content

Is it safe to use $_SERVER['PHP_SELF'] outside a form or link?

Recommended Posts


I'm new to PHP and I was wondering if it's perfectly safe to use $_SERVER['PHP_SELF'] like so:

<body<?php  if(basename($_SERVER['PHP_SELF']) ==  'home.php') echo  ' class="home"'; ?>>

As far as I understand, the $_SERVER['PHP_SELF'] variable can only be exploited when used as a link or in a form/inputs, where the variable should be wrapped into htmlspecialchars() to counter XSS attacks, am I right?


Edited by Junitar
Link to post
Share on other sites

There's no security issue there because the only thing that can be "hacked" is whether the body element has a class attribute or not.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...