I am using line below in my php blog site, how is that danger ? I have register_global off and magic_quotes_gpc() also off and using php 5.2. Can anyone please enlight me, or give alternative to this ? I did try $_SERVER['php_self'] but that didn't work.
<form action="<?php echo $SCRIPT_NAME. "?id=" . $validentry; ?>" method="post">
SCRIPT_NAME and PHP_SELF mostly contain the same value. Both contain the webserver-normalized version of REQUEST_URI (that is, relative path parts removed).
Your actual security issue here is not using htmlspecialchars(). And as said before, just use the correct key case to output PHP_SELF:
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8") . $validentry ...
I can't believe this works in PHP5.2 unless you have defined $SCRIPT_NAME yourself. The right code should be $_SERVER['SCRIPT_FILENAME'] in this case. SCRIPT_FILENAME is non user controleable ($_SERVER['PHP_SELF'] is user controleable).
That doesn't seem to pose any danger, but it suggests that you have register_globals On (which, if you are not really really careful is probably dangerous). Set register_globals to Off in your configuration file and use $_SERVER['SCRIPT_NAME'] or, preferably $_SERVER['PHP_SELF'], see also this page on the PHP Manual regarding the $_SERVER superglobal, and this comment:
$_SERVER["SCRIPT_NAME"] => /admin/products.php (virtual path) $_SERVER["PHP_SELF"] => /admin/products.php/someExtraStuff (virtual path)
SCRIPT_NAME is defined in the CGI 1.1 specification, PHP_SELF is created by PHP itself. See http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm for tests.