Form Data - LEARN PHP IN A DAY: The Ultimate Crash Course to Learning the Basics of PHP in No Time (2015)

LEARN PHP IN A DAY: The Ultimate Crash Course to Learning the Basics of PHP in No Time (2015)

Chapter 7. Form Data

Introduction

One of the most powerful features of PHP is the way it handles HTML forms. The basic concept that is important to understand is that any form element will automatically be available to your PHP scripts.

In order to be able to use form data inside of PHP, you need to be familiar with HTML forms. We won’t spend too much time on reviewing HTML forms. Here is an example HTML form:

There is nothing special about this form. It is a straight HTML form with no special tags of any kind. When the user fills in this form and hits the submit button, theaction.php page is called. Alternatively, you could leave the action parameter empty and the information from the page will be sent to the same page you are on. (Essentially, it will refresh the page and make the form data available to you).

Methods for sending Form Data

There are two methods for sending form data – POST and GET.

GET is a more limited and less secure method of sending information (although there are ways, such as using unique tokens, to make GET a bit more secure). GET sends the form data to the URL of the page. Anytime you see a URL that ends with something that looks something like the following:?key=value&key=value&key=value, you know that you are dealing with GET data.

POST is a bit more secure as users don’t actually get to see the information being sent and it allows you to send more information.

Both of these methods are available to PHP through the$_GETand$_POST superglobal arrays.

Referencing information from forms

You will notice that each input element of the HTML form has its own name. This name corresponds to a key in the corresponding superglobal array. The “method” parameter of the form identifies whether you are using POST of GET.

Once we have the form data submitted we can just reference the corresponding elements of the array. For example, if we want to display all the information from the array we can do:

We will get all of the key-value pairs inside of that array.

Security

Important!!

Anytime you are dealing with user submitted data, you must assume that the user using your site has bad intentions. Always assume that you are writing a site that someone is trying to hack. Never trust that your users are not going to exploit a vulnerability in your site. It’s better to be overly secure than to not be secure.

When it comes to form data, you have to always be cautious. Think of it this way. When you give a user a field for them to type their name, who will guarantee that they will type their name in that field? What happens if they type some PHP code? Or maybe an SQL query? Or maybe some JavaScript? You have to be the one that makes sure you prevent XSS (cross-site scripting) attacks and SQL injection. Those are the two most common types of “web hacking” and will cause you intense headaches if you don’t think ahead of time.

Think of the form from the previous example. When the user fills in this form and hits the submit button, theaction.php page is called. In this file you would write something like this:

The output will be:

Apart from thehtmlspecialchars()and(int)parts, it should be obvious what this does.htmlspecialchars()makes sure any characters that are special in html are properly encoded so people can't inject HTML tags or Javascript into your page. For the age field, since we know it is a number, we can just convert it to an integer which will automatically get rid of any stray characters. You can also have PHP do this for you automatically by using the filter extension. The$_POST['name']and$_POST['age'] variables are automatically set for you by PHP. Aabove we just introduced the$_POSTsuperglobal which contains all POST data. Notice how the method of our form is POST. If we used the method GET then our form information would live in the$_GET superglobal instead.

Form validation is a wide topic that we will not cover in this book, but hopefully this example gives you an idea of what to do. Generally the page that is your form processing page, you will have a number of if statements that check a number of things. Here is a general outline of what you should do when validating a form:

- If a field is important, meaning that is must have a value (e.g. a password field for a user registering to your site) you have to check whether that value is set. For example, use something like:if(!isset($_POST[‘password’])) {do sth here};

- Generally it is a good idea to create an errors array. This array will contain all of the errors that occur with the form. When you validate and a validation of a field fails, you add an error. At the end, you display these errors to your page so the user knows what they did wrong and can fix their input;

- Whenever you are sending information to a database, ALWAYS, (ALWAYS ALWAYS ALWAYS!) use thehtmlspecialchars() function to make sure you don’t get HTML/JS/PHP code injected into your code. After that you should use amysqli_real_escape_string() function. This will escape any SQL characters (such as the apostrophes) so that you don’t get SQL injection.

- If you know a field has to be an integer, or some other number, cast it to a number. That way any string inputs will be prevented;

- Always test and debug your form with different types of input. Think of yourself as a hacker. What would you try putting in the form field to make the site break?

Conclusion

In this brief chapter we covered some important concepts about dealing with form data and security issues. Hopefully you have understood the importance of security in your web applications.

Exercise 1

In the next PHP exercise, you will request input from the user, then move the user's response from one file to another and do something with it.

Create two separate files. The first will contain a form with one input field asking for the user's favorite city. Use the post method for the form. Although this file contains no PHP code, on my localhost, it needs the .php extension to successfully call the second file.

The second file will contain PHP code to process the user's response. (In this case, something very simple.) After the user clicks the submit button, echo back Your favorite city is $city., where $city is the input from the form.

Hint: the variable that contains the user's input is an array. Arrays will be addressed in future exercises, but this particular array needs to come into play here. The array variable is $_POST['name'], where 'name' is the name of your input field.

Exercise 2

One very useful thing you can do with PHP is include the request for user input and the response in the same file, using conditional statements to tell PHP which one to show. For this PHP exercise, rewrite the two files of the previous exercise into one file using an if-else conditional statement.

Hint: You'll need some way to tell if the form has been submitted. The function to determine if a variable has been set and is not null is isset().

Exercise 3

For this PHP exercise, you will use the same format as the previous exercise, requesting input in the first part, and responding in the second, through the magic of PHP's if-else statement. In the first section, give the user an input field and request that they enter a day of the week.

For the second section, you'll need the following poem:

Laugh on Monday, laugh for danger.

Laugh on Tuesday, kiss a stranger.

Laugh on Wednesday, laugh for a letter.

Laugh on Thursday, something better.

Laugh on Friday, laugh for sorrow.

Laugh on Saturday, joy tomorrow.

Using the else-elseif-else construction, set each line to output in response to the day the user inputs, with a general response for any input that is not in the poem.