How is SCRIPT_NAME dangerous in PHP?

I am using the line below in my php blog site, how is that a danger ?

<form action="<?php echo $SCRIPT_NAME. "?id=" . $validentry; ?>" method="post">

I have register_global off and magic_quotes_gpc() also off.

I am using php开发者_运维问答 5.2.

I tried $_SERVER['php_self'], but that didn't work.

---

SCRIPT_NAME and PHP_SELF mostly contain the same value. Both contain the webserver-normalized version of REQUEST_URI (that is, relative path parts removed).

Your actual security issue here is not using htmlspecialchars(). And as said before, just use the correct key case to output PHP_SELF:

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8") . $validentry ...

---

That doesn't seem to pose any danger, but it suggests that you have register_globals On (which, if you are not really really careful is probably dangerous). Set register_globals to Off in your configuration file and use $_SERVER['SCRIPT_NAME'] or, preferably $_SERVER['PHP_SELF'], see also this page on the PHP Manual regarding the $_SERVER superglobal, and this comment:

$_SERVER["SCRIPT_NAME"] => /admin/products.php (virtual path) $_SERVER["PHP_SELF"] => /admin/products.php/someExtraStuff (virtual path)

SCRIPT_NAME is defined in the CGI 1.1 specification, PHP_SELF is created by PHP itself. See http://php.about.com/od/learnphp/qt/_SERVER_PHP.htm for tests.

---

I do not believe this works in PHP5.2 unless you have defined $SCRIPT_NAME yourself.
The right code should be $_SERVER['SCRIPT_FILENAME'], in this case.
SCRIPT_FILENAME is not user controllable.
$_SERVER['PHP_SELF'] is user controllable.