Computer Science Canada

[Tutorial] Handling Forms

Author:  rdrake [ Fri Nov 04, 2005 7:50 am ]
Post subject:  [Tutorial] Handling Forms

One of the greatest things about PHP is its ability to easily handle forms. Input from one page is sent to another, and can easily be accessed with PHP.

Here's a typical example of a form.
code:
<html>
<head>
<title>Page 1 - The Form</title>
</head>
<body>
<form action="process.php" method="get">
<input type="text" name="name">
<input type="submit" value="OK">
</form>
</body>
</html>
The above code creates a form with a single field and a button which will submit the form. You may notice that each input tag has two important properties. The 'type' property allows you to make the input field whatever you want. The 'name' property is also important, it assigns each field a name and you will need this in order to process the form.

Input Types

  • button - regular button
  • checkbox - regular check box
  • file - allows you to select files on your computer
  • hidden - as the name suggests, not displayed but still there
  • image - allows you to place an image as a button
  • password - shadows the input
  • radio - little circles
  • reset - resets every part of the form
  • submit - submits the information
  • text - for text input
You will most likely need to use text and submit the most.

Now, we have our form created. When 'OK' is clicked, it will send the value of the 'name' box to 'process.php' using the 'GET' method.

You're probably wondering what the difference is between the methods? GET is used for simple things. It sends the information through the URL at the top, and can easily be viewed by anyone who is sitting at the computer. Not only that, but it is restricted to a certain length so it's no good for long inputs. POST hides the information and is sent 'behind the scenes' without the user realizing it. This method also allows for much longer input, such as this post I'm posting now.

Let's create our process.php file to handle the input.
code:
<?
    echo $_GET['name'];
?>
Easy, right? Basically what's happening is this. '$_GET' specifies that we want to access the GET array. This can change to POST, depending on which method we use in the form. Now, '['name'] specifies that we want to specifically want to access the 'name' property of the GET array. In this way, we display the value of the 'name' field from the previous page.

You can change the 'name' inside the square brackets to whatever you need it to be. $_GET[''] can be changed to $_POST[''], depending on how you make your form. Ours is GET, so we use the first one.

Things like check boxes are handled similarly. Only they won't have a changing value like text boxes and others, just a 1 or 0. This indicates whether or not they were selected.

I think that just about covers it. Any more questions, just ask.

Author:  wtd [ Fri Nov 04, 2005 2:14 pm ]
Post subject: 

You should discuss validation of input.

Author:  rdrake [ Fri Nov 04, 2005 3:54 pm ]
Post subject: 

wtd wrote:
You should discuss validation of input.
Good idea. Was kinda in a rush to write it, so I'll add it now.

So you have the $_GET['name'] variable set? Now, there are a variety of functions we can perform on it. For this tutorial, I will assign the variable to another, $name, for simplicity sake.
code:
$name = $_GET['name'];
Of course, you can't have an empty name, so let's check to see whether or not it is empty.
code:
if (empty($name)) {
    echo "The string is empty!";
}
This would obviously cause some problems, especially if you wanted to further manipulate that field. If you want to redirect the user, you could use the following code instead
code:
if (empty($name)) {
    header("Location: http://yoursite.com/form.html");
}
Now that the field has some value to it, we'll want to make sure it doesn't have any spaces at the beginning or the end. This is easily accomplished by using the following code.
code:
$name = trim($name);
Not only does it strip of whitespace, but it also gets rid of tabs, cartridge returns, and vertical tabs.

Ok, now we have a value which is not empty nor surrounded by whitespace. Now what? We can also check to see what kind of value the field contains. Why? Well if we want an employee number, we obviously don't want it to be a string, so we can make sure it is indeed a number.

For numbers,
code:
if (is_numeric($name)) {
    echo "The value is a number.";
}
For strings,
code:
if (is_string($name)) {
    echo "The value is a string.";
}
Now you know what the value is and it actually contains something, now let's check the length of the input.
code:
echo strlen($name);
If you want the length to be a certain size, then you can easily modify this to fit an if statement and compare it to a preset value.
code:
if (strlen($name) == 10) {
    echo $name." is 10 characters in length.";
}
This makes sure that nobody tries to input something else besides what they're suppost to.

A careful combination of these techniques will help you both validate your input and protect your site from attack. Your site will remain more secure if you follow the golden rule, never trust anything a user inputs without checking it first.

Author:  beard0 [ Mon Nov 07, 2005 3:40 pm ]
Post subject: 

$_REQUEST is very useful - it can be used for posts and gets - as well as cookies. I find it very useful, as a form which started out as being a GET may change into a POST without needing to then change your php.

Author:  wtd [ Mon Nov 07, 2005 5:04 pm ]
Post subject: 

One place you might want input validation:

Let's say you're building a "Contact Us" form. You want someone to be able to e-mail anyone in the company. The naive approach is just have the user submit the e-mail address of the person they're contacting.

But then they can send e-mail to anyone in the world using your page. They can turn you into a spam machine.

Instead, you have them submit the name of the person, then compare it against a set of known names. If it's a valid name, you send the e-mail to the corresponding address. If not you reprint the form with an error notice.

Author:  robotforce [ Sat Apr 07, 2012 6:30 am ]
Post subject:  Re: [Tutorial] Handling Forms

rdrake @ Fri Nov 04, 2005 7:50 am wrote:
One of the greatest things about PHP is its ability to easily handle forms. Input from one page is sent to another, and can easily be accessed with PHP.

Here's a typical example of a form.
code:
<html>
<head>
<title>Page 1 - The Form</title>
</head>
<body>
<form action="process.php" method="get">
<input type="text" name="name">
<input type="submit" value="OK">
</form>
</body>
</html>
The above code creates a form with a single field and a button which will submit the form. You may notice that each input tag has two important properties. The 'type' property allows you to make the input field whatever you want. The 'name' property is also important, it assigns each field a name and you will need this in order to process the form.

Input Types

  • button - regular button
  • checkbox - regular check box
  • file - allows you to select files on your computer
  • hidden - as the name suggests, not displayed but still there
  • image - allows you to place an image as a button
  • password - shadows the input
  • radio - little circles
  • reset - resets every part of the form
  • submit - submits the information
  • text - for text input
You will most likely need to use text and submit the most.

Now, we have our form created. When 'OK' is clicked, it will send the value of the 'name' box to 'process.php' using the 'GET' method.

You're probably wondering what the difference is between the methods? GET is used for simple things. It sends the information through the URL at the top, and can easily be viewed by anyone who is sitting at the computer. Not only that, but it is restricted to a certain length so it's no good for long inputs. POST hides the information and is sent 'behind the scenes' without the user realizing it. This method also allows for much longer input, such as this post I'm posting now.

Let's create our process.php file to handle the input.
code:
<?
    echo $_GET['name'];
?>
Easy, right? Basically what's happening is this. '$_GET' specifies that we want to access the GET array. This can change to POST, depending on which method we use in the form. Now, '['name'] specifies that we want to specifically want to access the 'name' property of the GET array. In this way, we display the value of the 'name' field from the previous page.

You can change the 'name' inside the square brackets to whatever you need it to be. $_GET[''] can be changed to $_POST[''], depending on how you make your form. Ours is GET, so we use the first one.

Things like check boxes are handled similarly. Only they won't have a changing value like text boxes and others, just a 1 or 0. This indicates whether or not they were selected.

I think that just about covers it. Any more questions, just ask.



Can you please do let me know what is the difference between get and post method. In what condition we use get method ?
Thanks in advance Smile

Author:  Nick [ Sat Apr 07, 2012 10:58 am ]
Post subject:  RE:[Tutorial] Handling Forms

notice the URL of this page? Specifically the "?p=258731". This shows the page is using get. The difference is whether the data is passed through the URL or if it is hidden by the user. So if I wanted a page that is meant to be shared, such as pastebin, I'd use get. If I was redirected a form with a password which is not meant to be shared (privacy reasons) I'd use post.

Author:  2goto1 [ Sat Apr 07, 2012 11:36 am ]
Post subject:  Re: [Tutorial] Handling Forms

robotforce @ Sat Apr 07, 2012 6:30 am wrote:

Can you please do let me know what is the difference between get and post method. In what condition we use get method ?
Thanks in advance Smile


The HTTP get method is generally recommended when you want view a page that doesn't alter state in any way. The HTTP post method is generally recommended when you need an action that alters state - create, update, and delete actions are the typical candidates for HTTP posts.

An HTTP get is a good candidate for a "view forum thread" action, since viewing a forum thread generally doesn't alter state, so it's a good candidate for the HTTP get method. Delete forum threads buttons, create forum threads buttons, and update forum threads buttons are excellent candidates for HTTP post methods.

Realistically state can be altered with the HTTP get method. For example, viewing a forum thread may cause a log to be saved on the server of that forum thread view. Or viewing a product on an e-commerce website may cause the product that you viewed to be saved on the server side in order for the e-commerce website to show you better recommended products that you might be interested in. In general this is an acceptable type of state change that HTTP gets can support. In general avoid supporting create, update, or delete operations with HTTP gets.

If you need to ensure search engine optimization, you'll generally need to use HTTP gets. HTTP posts are usually not search engine friendly because good search engines don't post data to forms as they're indexing web pages. Search engines tend to follow HTML links, which are all HTTP get operations. If you have a forum topic that spans 10 pages and you want all 10 pages to be accessible to a search engine, you have to make them all accessible with HTML links in order for search engines to navigate to those additional pages and index their content.

Hope that helps a bit. If you Google the topic you'll find a ton of information that can help you to understand the difference more.


: