PHP_SELF opens up a page to XSS attacks when code such as echo $_SERVER[‘PHP_SELF’]

Question

0

Asked: May 24, 20262026-05-24T06:37:43+00:00 2026-05-24T06:37:43+00:00

PHP_SELF opens up a page to XSS attacks when code such as echo $_SERVER[‘PHP_SELF’]

0

PHP_SELF opens up a page to XSS attacks when code such as echo $_SERVER['PHP_SELF'] is included, but what about SCRIPT_NAME? Since it does not include path info, is this safe to use? I know you can use htmlentities and other similar functions to sanitize but I’d rather avoid the extra function call.

I’m quite sure that it would be safe to use but I’d like the reassurance of the SO community 🙂

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-24T06:37:44+00:00

Editorial Team

2026-05-24T06:37:44+00:00Added an answer on May 24, 2026 at 6:37 am

As good practice, you should always protect against any variables from $_SERVER, $_GET, $_POST etc.

$str = filter_var($input, FILTER_SANITIZE_STRING);

A simple way to sanitize a string, or you can use htmlentities. I create a class that I use when returning any variables from $_SERVER, $_GET and $_POST.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

PHP_SELF opens up a page to XSS attacks when code such as echo $_SERVER[‘PHP_SELF’]

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply