The difference is simple.
The first piece if code doesn't prints anything.
<form method="post" action="<?php htmlspecialchars($_SERVER['PHP_SELF']); ?>">
So the action
parameter is empty and by default browsers submit the form to the same site, what likely would be the same value htmlspecialchars($_SERVER['PHP_SELF']);
returns.
If you use the second piece of code the return of htmlspecialchars($_SERVER['PHP_SELF']);
would be echoed out and the browser submits the form to the same site, like above.
Example
If your site was called form.php
. The first piece of code would produce:
<form method="post" action="">
The browser sees action is empty and sends the form data to the site, form.php
And the second piece would produce:
<form method="post" action="form.php">