PHP $_SERVER['PHP_SELF'] in Wordpress redirecting to the index page

10,390

Solution 1

The reason for this is that Wordpress runs (almost) everything through the index.php page and then handles which page to display via it's routing logic. You might try doing var_dump($_SERVER); to see which value you want but it's probably $_SERVER['REQUEST_URI'].

Solution 2

You could use the the_permalink() wordpress function that will echo the permalink of the current page.

Solution 3

I think what you use redirects to the index because WordPress uses nice URLs.

You can use the function below to "retrieve" the full URL of the current page:

function selfURL()
{
    $ret = substr( strtolower($_SERVER['SERVER_PROTOCOL']), 0, strpos( strtolower($_SERVER['SERVER_PROTOCOL']), "/") ); // Add protocol (like HTTP)
    $ret .= ( empty($_SERVER['HTTPS']) ? NULL : ( ($_SERVER['HTTPS'] == "on") ? "s" : NULL) ); // Add 's' if protocol is secure HTTPS
    $ret .= "://" . $_SERVER['SERVER_NAME']; // Add domain name/IP address
    $ret .= ( $_SERVER['SERVER_PORT'] == 80 ? "" : ":".$_SERVER['SERVER_PORT'] ); // Add port directive if port is not 80 (default www port)
    $ret .= $_SERVER['REQUEST_URI']; // Add the rest of the URL

    return $ret; // Return the value
}

Obviously, you will need to use <form method="GET" action="<?php echo selfURL(); ?>"> to dynamically set the action of the form.

Share:
10,390
Admin
Author by

Admin

Updated on June 14, 2022

Comments

  • Admin
    Admin over 1 year

    I have a wordpress website. There is a category page with a form on it to sort / filter the posts.

    I have tried using $_SERVER['PHP_SELF'] as the form action as i need to get the contents of the form to display the posts but when I do it redirects to the index page.

    Is there a reason for this? Or a better way to submit a form within wordpress.

    Thanks

  • MrCode
    MrCode over 11 years
    Cross Site Scripting aka XSS is a type of web application security vulnerability.
  • GordonM
    GordonM over 11 years
    You could so easily inject javascript into a page with this answer. That javascript could harvest cookies, inject fake links, log keystrokes or any of a number of very dangerous things. This makes your answer a liability, so I'm afraid I've got to DV it. I'd strongly recommend researching XSS because if you use this code in your own projects then they can easily be abused.
  • Vipin Jain
    Vipin Jain over 11 years
    @GordonM: ok, i read about XSS, and i can say that this code cannot be exploited. And m very much confident about this. because server side checking is always done. and i personally know what i m doing, with this code. This code is very helpful when the permalinks are disabled. and no alternatives are there.
  • GordonM
    GordonM over 11 years
    @VIPINJAIN Try setting one of the values in the array your code is parsing to the following: " onclick='function () {alert('Hello! I'm a malicious script that's stealing all your cookies');}'
  • MrCode
    MrCode over 11 years
    @VIPINJAIN I'm afraid I am unable to find the server side check in your answer that prevents XSS.
  • PeeHaa
    PeeHaa over 11 years
    @VIPINJAIN "And m very much confident about this.". But I am not. If you are so confident. Do you mind telling how you prevent XSS? because the way I see it you use the $_GET superglobal's values directly. Please tell me where I am wrong.
  • Vipin Jain
    Vipin Jain over 11 years
    @GordonM: Nothing happened bud. And guess what, i have pasted this query: ?script=<script>alert('Hello! I'm a malicious script that's stealing all your cookies');</script> and nothing happened.
  • Vipin Jain
    Vipin Jain over 11 years
    @RepWhoringPeeHaa: You r wrong too. Dont even know what is happening in the code. and still commenting and voting.strange
  • MrCode
    MrCode over 11 years
    @VIPINJAIN your example will not work because <script> tags are not executed inside quotes.
  • PeeHaa
    PeeHaa over 11 years
    @VIPINJAIN I didn't downvote (yet). I just asked a honest question how you prevent XSS attacks. Because your code doesn't show any input validation / cleanup. So how can I be wrong when I just ask a question?
  • Vipin Jain
    Vipin Jain over 11 years
    @MrCode: So, nothing will work inside it neither click events and every thing is protected.
  • Vipin Jain
    Vipin Jain over 11 years
    @RepWhoringPeeHaa: oh anyways, these are simple hidden fields. so no validation required as no event can be fired from these fields. :)
  • Vipin Jain
    Vipin Jain over 11 years
    @markus-tharkun: Still didnt get it. script tags wont fire inside double quotes and hidden fields cant fire events. so no XSS can be placed in this code. if you can then show me an example. i'd appreciate that.
  • hakre
    hakre over 11 years
    @VIPIN JAIN: As things get hot now. Grab yourself some time off the screen, cook yourself a tea or something. When you come back you only need to remember one thing: I need to read and understand XSS first before I continue to write webapps. That's all. There is nothing more important right now in case you want to continue to code at larger scale, it's one thing you should learn about. That's all. We might not be able to make it plausible to you, but that's not our job. You only need to remember: I need to read and understand XSS first before I continue to write webapps.
  • hakre
    hakre over 11 years
    @VIPINJAIN: $_SERVER['REQUEST_URI'] should work for that case, too.
  • Vipin Jain
    Vipin Jain over 11 years
    @hakre: nope it will not work for that case. already tried it