$_SERVER['SCRIPT_NAME']
SCRIPT_NAME solves all the problems mentioned in this thread
- it's just the script name, without any extra garbage
that might be tacked on by the user. PHP_SELF explicitly includes that
extra garbage, so solutions in this thread that involve stripping the
garbage off of PHP_SELF to make it safe are really, really missing the
point - just use SCRIPT_NAME instead. Please don't use FORM ACTION=”";
according to the spec, what the browser does with that is undefined, so
even if it works in current browsers, it might not work in future ones
SCRIPT_NAME解决本文提到的所有问题,它就是脚本的名字,没有其他额外的垃圾信息(这些垃圾信息可以能被用户提取)
PHP_SELF却显式的包含了这些信息
因此本文中涉及到剥离PHP_SELF这些信息以保安全的解决方法是非常非常····
用SCRIPT_NAME就是了。
别用<form action=''>
通过说明文档,浏览器遇到这种情况该怎样做是没有说明的,即使在本机浏览器上成功了,但也许不能在另一个浏览器中工作
转自:http://www.nyphp.org/list/talk-15339-serverphpself-not-working