Don't trust PHP_SELF
Sean Coates points out why $_SERVER[“PHP_SELF”] must be considered unsafe. You should never use it without at least converting it to entities:
This offers me the chance to again repeat one of my mantras: Create a function for everything, at least when reading values from somewhere, even for something simple like retrieving the value of PHP_SELF. The reason is maintenance: If you haven’t previously validated the value of PHP_SELF there will be only one place to change, instead of checking all your code.
Here’s my implementation: