I read on one page in form handling, that its good practice to user <form action=<?$_SERVER['PHP_SELF']?>> and i also read on another page, that this is the easiet way to get hacked.....which one is correct
<form action=<?$_SERVER['PHP_SELF']>? name=''> is this good practice
Well, it's bad practice for at least three reasons: (1) you're using a short open tag, which is deprecated and liable not to work depending on the server; (2) it won't work anyway; (3) the html attribute value isn't enquoted.
Try this:
<form action="<?php echo $_SERVER['PHP_SELF']?>">
// or
echo '<form action="' . $_SERVER['PHP_SELF'] . '">';And dont' forget method="post" or method="get"
if you're using the current page as the handler for the form, i've gotten into the habit of just leaving the action empty since it defaults to the current page instead of declaring it explicitly with $_SERVER['PHP_SELF'].