Article one: Chris Shiflett: SERVER_NAME Versus HTTP_HOST
Article two: Sean Coates: XSS Woes
I thought both were quite insightful, though Sean’s stands-out more because PHP_SELF is used so often (be sure to check-out his phpinfo(); example at the end of the post). One method, as he explained, is to put the $_SERVER[‘PHP_SELF’] variable into htmlentities() so at least you aren’t potentially echoing dangerous output.
Heed Chris’s advice: treat $_SERVER variable just as you would $_GET and $_POST – all have the potential to be tainted.