a notice
Warning: $_SERVER['PHP_SELF'] can include arbitrary user input.
As discussed in this very long thread on nyphp-talk (thanks Dan and George, for schooling us!), using Apache the request "http://example.com/info.php/attack%20here" will run /info.php, but $_SERVER['PHP_SELF'] will equal "/info.php/attack here". This is a feature, but it means that PHP_SELF must be treated as user input.
The attack string could contain urlencoded HTML and JavaScript (cross-site scripting) or it could contain urlencoded linebreaks (HTTP response-splitting).
The use of $_SERVER['SCRIPT_NAME'] is recommended instead.
This notice was posted to the PHP Manual's $_SERVER documentation page as well (on behalf of New York PHP).
By Chris Snyder on July 24, 2005 at 11:05am