An empty URI, is a valid URI that just means the current URI. It is perfectly safe. I use it on most every method="post" form, it doesn't make sense if method="get"
see: http://www.ietf.org/rfc/rfc2396.txt section 4.2 > (Which leads to the question, is PHP_SELF safe to use, or should you escape > it?) Of course you have to escape it. Type the following into Google <a href="javascript:alert('hello world')"> and notice how many times it appears in the html - url, input box, pagination etc. Cheers, John Campbell _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
