How to Interact with Web Forms. Part 1 | WebReference

How to Interact with Web Forms. Part 1

How to Interact with Web Forms. Part 1

Excerpted from Chapter 4: Interact with Web Forms from the PHP Phrasebook by Christian Wenz. ISBN 0672328178, Copyright © 2005. Used with the permission of Sams Publishing.

Interacting with Web Forms

HTML forms are one of the key ingredients of any dynamic website because they can enable the users of a site to interact with it. Otherwise, websites are more or less static:They may be driven by a database and, therefore, regularly changing, but they look the same for each and every visitor. HTML forms can change that; therefore, using data from forms from within PHP is very important.

Reading the information in is a very easy task: For form data submitted via GET (that is, in the Uniform Resource Identifer [URI] of the page requested), the data can be found in $_GET[<value of name attribute of form field>]. However, this is only the beginning. Suppose a user fills out a form but forgets one field. Instead of presenting an error message and asking the user to click the browser’s Back button, the user can expect a form in which all fields are filled in with the values that he previously provided. Many books neglect this; yet, even worse, some books just do it wrong. You must not forget the special encoding of the form field values; otherwise, the form is subject to Cross-Site Scripting (XSS) attacks or, at least, could look ugly.

Figure 4.1 demonstrates this:You see two buttons with the same caption; however, only the first button's caption was encoded correctly in the HTML code.

Other important topics of interest include Hypertext Transfer Protocol (HTTP) file uploads and coping with the various settings in php.ini or elsewhere that might boycott the good intentions of the developer.

Sending Form Data Back to the Current Script

All relevant browsers send back form data to the current page, if no action attribute is provided in the <form> element. However, the HTML and the Extensible Hypertext Markup Language (XHTML) specifications both state that action is a required attribute (marked as #REQUIRED in the Document Type Definitions [DTDs]).The behavior of the user agent is undefined, as the HTML specification at html#adef-action explains.Therefore, it’s a good idea to specifically provide the uniform resource locator (URL) of the current script as the form’s action. the code above does this and also escapes special characters in $_SERVER[‘PHP_SELF‘] for security reasons.

Reading Out Form Data

At the beginning, reading out form data was very easy: If the form field had the name attribute ”whatever” or, in newer versions of HTML/XHTML, the id attribute ”whatever”, PHP creates a variable $whatever in the global scope.This is very convenient, but, from an architectural point of view, is a bad idea.Therefore, this was disabled by default from PHP version 4.2 onward, using the following php.ini directive:

register_globals = Off

Since PHP 3, the following global arrays existed for form data:
  • $HTTP_GET_VARS—All data provided using GET

  • $HTTP_POST_VARS—All data provided using POST

  • $HTTP_REQUEST_VARS—All data provided using GET or POST, or via cookies (use not recommended)

These arrays are global; therefore, you have to use the global keyword to uplevel them to global scope if you use them within a function:

However, these arrays can be deactivated (PHP 5 onward), as well, using this php.ini directive:

register_long_arrays = Off

Therefore, the following is the only recommended method to access form data today in PHP:

  • $_GET for GET data

  • $_POST for POST data

  • $_REQUEST for POST, GET, and cookies (not recommended) 

The keys of these arrays are the names of the form values.The $_* arrays are so-called superglobal arrays— that is, you do not have to use the global keyword to get them into global scope; they are already available within functions.

When you have decided which superglobal array to use (depending on the form’s method), accessing form data is easy: $_GET[<formfieldname>] or $_POST[<formfieldname>] retrieves the value in the form element.Table 4.1 shows which data is returned for which form field type.

Created: March 27, 2003
Revised: January 16, 2006