$_SERVER["PHP_SELF"] is a super-global and returns the file name of the currently used file(script).
Why $_SERVER["PHP_SELF"] is used:
due to $_SERVER["PHP_SELF"], you can get an error on the same page you are working from the script running.
How to avoid $_SERVER["PHP_SELF"] from hackers?htmlspecialchars($_SERVER["PHP_SELF"])
htmlspecialchars will give random char in the filename so it will be saved from expoilts.
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">