[x] Change: replace $SERVER['PHP_SELF'] with $_SERVER['SCRIPT_NAME']
This is because of security reasons. PHP_SELF would contain not only the path but also an (for our purposes unwanted) query string.
[x] enclose parameters in the query strings with masking functions like intval or urlencode and htmlsc in further attributes
$SERVER['PHP_SELF']with$_SERVER['SCRIPT_NAME']This is because of security reasons. PHP_SELF would contain not only the path but also an (for our purposes unwanted) query string.
intvalorurlencodeandhtmlscin further attributes