Hello, for the form to be validated on the same page, which is safer as a value for the 'action' html attribute? Thank you.
<form method="post" action="">
<!--ou-->
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
1st Do not invent.
2nd It's not a question of which is better, you should know what each one does.
htmlentities encodes any special characters, so you can not inject tags or js.
Leaving the action attribute empty, causes this page to reference itself. So do not waste functions using them where they are not needed, because what PHP_SELF does, is to return the name of the file that is running the script, so if there is no QUERY_STRING why should I use% with% or% with%? You simply should not, because the main reason for using them is to return these values in the right format, so they can be used without any problems, if that exists.
An example of this is:
<?php
echo '<a href="' . htmlspecialchars("/nextpage.php?stage=23&data=" .
urlencode($data)) . '">'."\n";
?>
The htmlentities contains parameters, so it has special characters that need to be escaped, but what does urlencode there? It simply does what it does, when you want to pass the value of a variable as part of a url , that's where it becomes useful.
I would say what a lot of people usually say in situations like this, use any js library, or simply use js, and your problem disappears.
It would be easy to think so, because of the technological advancement even the simplest sites use javascript, and most of the devices currently used to access these sites also have javascript support. But that's what it is, javascript may fail, over and over again, and there are times when some would rather not use it, but that's already another perspective.
Analyze your priorities better, and find a solution that fits you.
If you want to read more about some of these processes, here are some pages that I recommend:
Any value. action does not influence customer validation. Page validation is usually done in JS, and PHP has little role in it.
In this case, a great option is jQuery Validation . See it working here .