The advantage of using PHP_SELF is that if you rename your page, your action attribute also changes.
About the security: with
htmlspecialchars
or
htmlentities
, they have the same security. But if you don't escape HTML characters with PHP_SELF,
there are some exploits[
^].
Personally, I suggest using
$_SERVER["SCRIPT_NAME"]
. If you update your filename, then the action attribute will update to, and with SCRIPT_NAME, you don't have the risk of the exploits with PHP_SELF.