$_SERVER["PHP_SELF"] Exploits:

<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>"> 
<form method="post" action="test_form.php">

<form method="post" action="test_form.php/"><script>alert('hacked')</script>

$_SERVER["PHP_SELF"] exploits can be avoided by using the htmlspecialchars() function. 

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> 

The htmlspecialchars() function converts special characters to HTML entities.Now, if the user tries to exploit the PHP_SELF variable. 

<form method="post"action="test_form.php/&quot;&gt;&lt;script&gt;alert('hacked')&lt;/script&gt;"> 

Validate Form Data With PHP : 

<script>location.href('http://www.hacked.com')</script> 

Example: 

<?php 
// define variables and set to empty values

$name = $email = $gender = $comment = $website = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {

  $name = test_input($_POST["name"]);

  $email = test_input($_POST["email"]);

  $website = test_input($_POST["website"]);

  $comment = test_input($_POST["comment"]);

  $gender = test_input($_POST["gender"]);

}

function test_input($data) {

  $data = trim($data);

  $data = stripslashes($data);

  $data = htmlspecialchars($data);

  return $data;

}?>

$_SERVER["REQUEST_METHOD"]. If the REQUEST_METHOD is POST, then the form has been submitted - and it should be validated.