My Web Training

📖 PHP Form Processing

Forms are a common way to interact with web site visitors. Making forms user-friendly and secure is an important and somewhat complex task. The form must first be designed in a user-friendly format with clear data fields and controls.

The data submitted with the form must be validated and sanitized for use in the PHP program. If not, the application could be compromised by a variety of site attacks. The data must be validated for completion and acceptable content. If a form control (field) is not filled out properly by the user, the form must be re-displayed to the user with the valid content filled out by the user in the form fields. These are called sticky fields. Once the form data is validated, it must be sanitized to remove malicious code and prepare the data for further processing. Finally, the user must have the appropriate response from the server to progress through the application. Here's an outline of the form process.

Display an initial form to the user. This is often a blank form but may be populated with data from a previous interaction with the client.
User fills out and submits the form for processing.
Form data is accessed and validated. All required fields are checked for completion and data type.
If the data is faulty or fails validation, the form is redisplayed to the user with the original form fields populated with user entered data. These are sticky form fields.
If the data is acceptable, the data may be sanitized for further processing such as preparing the data for database submission or for continued use by the site.

Tips for creating a web page that connects to a php script.

The form must have a method of get or post.
The form must have an action attribute with the appropriate php script file name.
Each form element must have a unique name.
Radio buttons and options must each have a value.
The form must have a submit button.
End the form with the </form> tag.
Make your form HTML compliant.

Example

Here is a sample form that we are going to use to demonstrate these concepts.

<fieldset>
  <legend> Sample Form </legend>
  <form method="post" action="form.php">
    <p>
      <label for="artist">Artist</label>
      <input type="text" name="artist" id="artist">
    </p>
    <p>
      <label for="album">Album</label>
      <input type="text" name="album" id="album">
    </p>
    <p>
      <label for="rdate">Release date</label>
      <input type="text" name="rdate" id="rdate">
    </p>
    <p>
      <input type="radio" name="type" id="typecd" value="cd">
      <label for="typecd">CD</label>
      <input type="radio" name="type" id="typedl" value="download">
      <label for="typedl">Download</label>
    </p>
    <p>
      <input type="submit" name="submit" value="Add Album">
    </p>
  </form>
</fieldset>

The form above would look like this.

Sample Form

Retrieving data from a form.

Clicking the Add Album in the form above would likely cause your browser to return an error as the target file specified in the action attribute of the form has not been created. The server would not know what to do with the form input and would respond with an error. We need to create the code to handle the form processing either in the same file or a separate target file. Before we can do that, we need to know a little more about how the form works. The following is a partial list of "Super Global" functions that work with PHP data submission processing.

$_POST is a predefined function in PHP that allows you to access form data submitted from a form with method = "post".
$_GET is a predefined function in PHP that allows you to access form data submitted from a form with method = "get".
$_POST and $_GET are arrays that contain all of the values from the form fields. To access an individual form field, you must use the name of the form field as an index to the array.

Sending data without a form.

PHP has some built-in functions that are used for processing user data. While forms can use the $_GET method, it would be unusual to do so. $_GET has some limitations on the amount of data sent and can be a little less secure. $_GET is more likely to be used with querystrings to allow for direct linking to web pages.

You can encode data in the querystring appended to the url of a link to transfer data without using a form.
The querystring is created by putting a question mark (?) after the url and then coding name value pairs (name=value) separated by an ampersand (&)
Example: To link to a page called helloUser and pass a firstname and lastname variable, the link would look like this:
<a href="helloUser.php?firstname=Santa&lastname=Claus">Hello User</a>

Example

<?php
// form method = "post"
<form method = "post">
<input type = "text" name = "lastname" />
// retrieve the value entered in the field using
$_POST['lastname']

// form method = "get"
<form method = "get">
<input type = "radio" name = "gender" />
// retrieve the value entered in the field using
$_GET['gender']
?>

If you want to output the value of a form field to a page using the printcomman with double quotes, you will probably have to assign the form value to a variable first.

<?php
$lastname = $_POST['lastname'];
print "Your last name is $lastname";
?>

There is an alternate way to retrieve information from a form using the filter_input() PHP function which is considered to be a more secure way of retrieving form values.

<?php
$variableName = filter_input(location, fieldname);
?>

This is a function to retrieve data from an html form and store it in a variable called variableName where...

location specifies where to find the data: INPUT_GET if the form uses method="get", INPUT_POST if the form uses method="post"
and fieldname is the name of the form field.

Using a single page to display and handle form data.

<?php
if (isset($_POST['submit'])) { // checks to see if the form has been submitted (use $_GET for method = "get")
	// handle form data
} else {
	// display the form
}
// may use if(filter_has_var(INPUT_POST, 'submit') as an alternative to isset($_POST)
?>

Example

Here is some sample php code to process the form data in the example above.

<?php
// check to see if the form has been submitted if so write out the data.
if (isset($_POST['submit'])) {
	// retrieve the values from the form
	$artist = $_POST['artist'];
	$album = $_POST['album'];
	$rdate = $_POST['rdate'];
	$type = $_POST['type'];
	// display them on the page
	echo "<p>You entered the following values:</p>";
	echo "<p>Artist: $artist</p>";
	echo "<p>Album: $album</p>";
	echo "<p>Release date: $rdate</p>";
	echo "<p>Type: $type</p>";
} else {
echo <<<EOD
<fieldset>
  <legend> Sample Form </legend>
  <form method="post" action="form.php">
    <p>
      <label for="artist">Artist</label>
      <input type="text" name="artist" id="artist" value="">
    </p>
    <p>
      <label for="album">Album</label>
      <input type="text" name="album" id="album" value="">
    </p>
    <p>
      <label for="rdate">Release date</label>
      <input type="text" name="rdate" id="rdate" value="">
    </p>
    <p>
      <input type="radio" name="type" id="typecd" value="cd">
      <label for="typecd">CD</label>
      <input type="radio" name="type" id="typedl" value="download">
      <label for="typedl">Download</label>
    </p>
    <p>
      <input type="submit" name="submit" value="Add Album">
    </p>
  </form>
</fieldset>
EOD;
}
?>