PHP_SELF ? for Pikachu2000

I saw your sig file and read one of the articles about $_SERVER['PHP_SELF'] being awful.  I admit, I've written scripts that submit the info to the same page, but I always just coded the page name directly into the action attribute.  In my noobness, I never realized you *could* use PHP_SELF.  One of the articles mentions a few fixes, including htmlentities or html special characters, but I guess my question to you is, why even bother?  Why not just set the page name in action and check for $_POST['submit'] when the page (re)loads?

I was going to send this as a PM then decided to open it up for the benefit of everyone and not bother your inbox. 

Exactly. There's no point in even bothering with $_SERVER['PHP_SELF'] as a form action when you can either explicitly name the file or just use action="", since it's valid markup in html and xhtml. Unfortunately, there are so many poorly written tutorials out there that push its use, along with other bad coding practices, that it's something that probably won't go away anytime soon.

I know that it is against some policy to send a PM to a mod about a coding question.  In fact it MAY be against policies to address a thread to a mod but I am not sure.  I did that once (sent a PM to a MOD) years back and will never do it again.

You are absolutely right that you can just hard code in the file name.  I would guess that many of the people that use $_SERVER['PHP_SELF'] would do it for flexibility/scalability reasons.  They may re-use code on a number of pages/sites and it just makes it easier in that fashion.  I have myself modified my code as a result of Pikachu2000's very very useful signature.  I would be curious to see what other users do as well.  Something like an overall "best practice" methodology.

If flexibility to change the filename is a concern, then action="" takes care of that problem.

BTW, I don't think anyone will jump down anyone's throat for addressing a thread to a mod, especially when it relates to something like this, where i have the link in my signature. But you're right about it being against the rules to use the PM system to ask any other member for help, not just mods.

*technically* I was asking him about his sig, not a coding problem 

Some of the articles coming up in the Google search your sig links to indicates that action = "" still is subject to xss attacks.  Yes?  Still better policy to hard code the page and scalability be damned?