473,848 Members | 1,835 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Using HTML Forms to pass data to PHP

Atli
5,058 Recognized Expert Expert
Introduction
At some point, all web developers will need to collect data from their users. In a dynamic web page, everything revolves around the users input, so knowing how to ask for and collect this data is essential to any developer.
This article is a basic tutorial on how to user HTML Forms, the most common method of data collection.

Assumptions
- Basic HTML knowledge.
- Basic PHP knowledge.

HTML Forms
A common and simple way of gathering data is through HTML Forms. Forms are containers for user input and can contain any number of different input types.
The HTML form element requires a few parameters to work properly:
  • action: this should point to the page that is meant to process the collected data. As soon as the form is submitted, the browser is redirected to this location, along with all your data.
  • method: this is the method of transportation. There are two choices here: 'GET' and 'POST'. I will cover them both in the next chapter.
A typical form element might look like this:
Expand|Select|Wrap|Line Numbers
  1. <form id="Form1" action="submit.php" method="post">
  2. <!-- Input elements will be put here -->
  3. </form>
  4.  

The data delivery methods, GET and POST.
As you may have guessed from the names of the two protocols, the GET and POST requests are designed for different purposes.

The purspose of the GET protocol is to fetch and display data to the user. Simple key-value pairs can be passed via the query string, but they should ideally be used to specify what should be displayed on the page, rather than to push user data onto the server.

That is what the POST protocol is for. It is designed to allow clients to send pretty much any amount of data to the server, in pretty much any format. This is what most forms should be using, and it is required for things like file uploads and to upload large amounts of text.

Essentially, GET should be used for navigation and things of that nature, but POST should be used to send actual data. Now lets examine them in more detail, individually.

The GET protocol
When using GET, the data from the form is encoded into the URL of the request. For example, if you were to submit this form:
Expand|Select|Wrap|Line Numbers
  1. <form action="action.php" method="get">
  2.     <input type="text" name="Username" value="John"><br>
  3.     <input type="password" name="Password" value="thePassword"><br>
  4.     <input type="submit">
  5. </form>
When you hit the submit button, the browser would redirect you to this URL:
- action.php?User name=John&Passs word=thePasswor d

A very usefult aspect of the GET protocol is the fact that we do not have to use a form to submit GET data. The URL can be manually constructed as well, and the server will not see any difference. Which means that the above data can also be submitted using the following HTML link:
Expand|Select|Wrap|Line Numbers
  1. <a href="action.php?Username=John&Passsword=thePassword">Submit</a>
This can be extremely usefuel in websites that show dynamically created content, such as forums or blogs, where you often need to create dynamic navigation links. In fact, this is used in most dynamic web 2.0 applications out there.

The POST protocol
The data submitted via the POST protocol is not visible in the URL. The data itself is put into the body of the request, which allows POST requests to upload more data, and more complex data, than the GET request.

For example, to send a username and an image, you would use a form like this:
Expand|Select|Wrap|Line Numbers
  1. <form action="action.php" method="post" enctype="multipart/form-data">
  2.     <input type="text" name="Username"><br>
  3.     <input type="file" name="UserImage">
  4.     <input type="submit">
  5. </form>
You will notice there that an additional attribute has been added to the form. The "enctype" attribute is required when sending files. If it is missing, the files will not be sent. - This attribute simply tells the client how to format the body of the request. By default it is a fairly simple format, but to send a binary object, a more complex one is required.

The <input> element
Like all forms, HTML forms need fields for the user to fill out. This is what the <input> element is for.
Input elements are positioned inside the <form> element, and can be used as a number of different types of fields. The type is set by chaning the "type" attribute of the field to one of the following values:
  • text: This is a simple text box. Allows users to input any text.
  • password: This is similar to the "text" input, except this is meant for passwords. The text is obfuscated, so the actual text you type into it is not visible. (Usually by replacing each character with an asterisk.)
  • button: This creates a button. It has no special purpose. It's mostly used to execute JavaScript code.
  • submit: This forms a button that when clicked, submits the form. If you specify a name and a value, they will be included in the data. Otherwise not.
  • reset: This forms a button that resets all the fields in the form. Use with caution!
  • checkbox: This creates a checkbox. Only boxes that have been checked will be sent along with the data. Unchecked boxes will be disregarded.
  • radio: This creates a radio button. If you create a number of these with the same name, only one of them can be selected at any given time, and only the selected one will be included with the data. The "value" attribute of the selected box will be sent.
  • hidden: This field is not displayed. It is hidden, but its value will be sent. These are highly useful when you need to include a value from your PHP or JavaScript code, but don't want it visible to the user.
  • file: This type allows a file to be selected and uploaded to the server.
A simple example of a form populated with input elements:
Expand|Select|Wrap|Line Numbers
  1. <form id="Form1" action="submit.php" method="post">
  2.   Username: <input type="text" name="Username"><br>
  3.   Password: <input type="password" name="Password"><br>
  4.   Remember me: <input type="checkbox" name="Remember" checked="checked">
  5.   <input type="hidden" name="SubmitCheck" value="sent">
  6.   <input type="Submit" name="Form1_Submit" value="Login">
  7. </form>
Reading the form data
To read the data submitted by a form, using PHP, we use one of three special arrays. Those are: $_GET, $_POST or $_REQUEST. The first two contain the data submitted via their respective protocols. The third, $_REQUEST contains the data from both.

The index(key) of the array is the name property of the input element. So if we were to send the form we created earlier, we could print the Username you passed like this:
Expand|Select|Wrap|Line Numbers
  1. echo $_POST['Username'];
If you are lazy you can just call "$_REQUEST['Username']" instead, but it comes at a price. Depending on your PHP configuration either the $_GET or $_POST array supersedes the other, overriding duplicate values. That means that if both the POST and GET protocols send a value with the same name, one of them will not be available, and you risk using the incorrect value in your code. - And to make matters worse, the Cookie and Enviromental variables are also thrown into the mix, increasing the risk even further.

The moral of this story is: use the $_GET and $_POST arrays, rather than the $_REQUEST array. It's safest that way.

Using the collected data
Before we finish, let's make a simple example, using our login form from before.

This form tests for the username 'John' and the password 'Doe' and responds accordingly. - Note, that I have changed the 'action' property of the form to point to itself, which will cause the page to reload, along with the data.
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. /**
  3.  * WARNING!
  4.  * This EXAMPLE code contains severe SECURITY ISSUES
  5.  * which should be addressed before real-life usage!!
  6.  *
  7.  * These issues have been ignored intentionally to
  8.  * simplify the code so we can focus on the topic
  9.  * in discussion.
  10.  */
  11.  
  12. // Lets test if the form has been submitted
  13. if(isset($_POST['SubmitCheck'])) {
  14.     // The form has been submited
  15.     // Check the values!
  16.     if($_POST['Username'] == "John" and $_POST['Password'] == "Doe") {
  17.         // User validated!
  18.         echo "Thats right! You have been logged in!";
  19.  
  20.         // Check if the checkbox was checked
  21.         if(isset($_POST['Remember'])) {
  22.             echo "<br>You will be remembered!";
  23.         }
  24.         else {
  25.             echo "<br>John who?!";
  26.         }
  27.     }
  28.     else {
  29.         // User info invalid!
  30.         echo "Sorry mate, try again!";
  31.     }
  32. }
  33. else {
  34.     // The form has not been posted
  35.     // Show the form
  36. ?>
  37. <form id="Form1" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
  38.     Username: <input type="text" name="Username"><br>
  39.     Password: <input type="password" name="Password"><br>
  40.     Remember me: <input type="checkbox" name="Remember" checked="chekced">
  41.     <input type="hidden" name="SubmitCheck" value="sent">
  42.     <input type="Submit" name="Form1_Submit" value="Login">
  43. </form>
  44. <?php
  45. }
  46. ?>
  47.  
The finish line
So, thats it for my basic article on HTML Forms.

A final warning!
Use data posted through HTML Forms carefully.
Always assume the data you receive is somehow meant to damage your web and validate it accordingly!

Remember that your web is only as good as the information it displays, so make sure your data is in order.

All the best,
- Atli Þór
Jun 18 '07 #1
19 248325
kumarsantosh
1 New Member
Good Codeing for
Creat login Id using html in php
Dec 5 '07 #2
absentmindedjwc
3 New Member
Good tutorial, but this is incredibly important... (to the readers, not to the author, lol)you may have heard that $_GET poses a security risk, but it is technically no bigger than $_POST. With a basic understanding of web development, the firefox web developer toolbar, and a few minutes, a malicious user can easily pass any value he/she wants through that POST value.

the moral of the story, NEVER TRUST DATA COMING FROM THE USER!!! This rule is absolute, I dont care if the only user is the tech guy that works at your office, any data from any user has to be taken with a grain of salt.

That said, it is rather easy to sterilize data

Expand|Select|Wrap|Line Numbers
  1. function sterilize (&$sterilize=NULL) {
  2.     if ($sterilize==NULL) {return NULL;}
  3.     $check = array (1 => "'", 2 => '"', 3 => '<', 4 => '>');
  4.     foreach ($check as $value) {
  5.         $sterilize=str_replace($value, '', $sterilize);
  6.     }
  7.     $sterilize=strip_tags ($sterilize);
  8.     $sterilize=stripcslashes ($sterilize);
  9.     $sterilize=stripslashes ($sterilize);
  10.     $sterilize=addslashes ($sterilize);
  11.     return $sterilize;
  12. }
now, imagine the user is entering his name, so $_POST['name']='Jason', all you would have to do is call the function above like this:
$Name=sterilize ($_POST['name']);

the data, although not fighting against any sql injections (have another function for that), will clean the data of any tags, slashes, and escapes.

edit: just wanted to add a little bit, not trusting data isnt just for text boxes and fields, but also for drop down boxes, and even lowly checkboxes and radio buttons

(note, I know I am passing the var by ref, but it is just easier to set it to an easy to remember var and sanitize in the same step)
Dec 18 '07 #3
tenest
1 New Member
Good tutorial, but this is incredibly important... (to the readers, not to the author, lol)you may have heard that $_GET poses a security risk, but it is technically no bigger than $_POST. With a basic understanding of web development, the firefox web developer toolbar, and a few minutes, a malicious user can easily pass any value he/she wants through that POST value.

the moral of the story, NEVER TRUST DATA COMING FROM THE USER!!! This rule is absolute, I dont care if the only user is the tech guy that works at your office, any data from any user has to be taken with a grain of salt.

That said, it is rather easy to sterilize data

Expand|Select|Wrap|Line Numbers
  1. function sterilize (&$sterilize=NULL) {
  2.     if ($sterilize==NULL) {return NULL;}
  3.     $check = array (1 => "'", 2 => '"', 3 => '<', 4 => '>');
  4.     foreach ($check as $value) {
  5.         $sterilize=str_replace($value, '', $sterilize);
  6.     }
  7.     $sterilize=strip_tags ($sterilize);
  8.     $sterilize=stripcslashes ($sterilize);
  9.     $sterilize=stripslashes ($sterilize);
  10.     $sterilize=addslashes ($sterilize);
  11.     return $sterilize;
  12. }
now, imagine the user is entering his name, so $_POST['name']='Jason', all you would have to do is call the function above like this:
$Name=sterilize ($_POST['name']);

the data, although not fighting against any sql injections (have another function for that), will clean the data of any tags, slashes, and escapes.

edit: just wanted to add a little bit, not trusting data isnt just for text boxes and fields, but also for drop down boxes, and even lowly checkboxes and radio buttons

(note, I know I am passing the var by ref, but it is just easier to set it to an easy to remember var and sanitize in the same step)
while I agree with you on never trusting user-supplied data, I completely disagree with you on relying on sanitation. Sanitation will NEVER be able to completely insulate you from an attack as someone will ALWAYS be able to evade your filters (which is essentially what you are doing with your sanitation routine). User-supplied data should always be VALIDATED, and validation != sanitation. You can certainly do both (validation and sanitation), but NEVER rely on sanitation only.

For example, a user name is most likely comprised of alpha characters and maybe digits. If that is the case, then you check to make sure that what the user supplied is ONLY alpha/num characters
Expand|Select|Wrap|Line Numbers
  1. if(ctype_alnum($_POST['Username'])){
  2.     //continue with log in process
  3. } else {
  4.     //refuse the login
  5. }
If you need additional characters in the user name, then build a regex pattern, and compare the user-supplied data to the pattern. If it fails, dont go any farther.

Furthermore, you should hash the password in storage, then compare the hash of the user-supplied password to what you have in storage:
Expand|Select|Wrap|Line Numbers
  1. if(sha1($_POST['Password']) == $usersStoredHashedPassword){
  2.     //continue with login process
  3. } else {
  4.     //refuse login
  5. }
Last, before echo'ing back ANY user-supplied data to the browser, ALWAYS encode it first!

oh, and absentmindedjwc, the contact me form on your website is susceptible to XSS injection. ;)
Dec 18 '07 #4
RalphSlate
1 New Member
What is the advantage of using the _GET and _POST arrays versus the variables that get automatically created when the form is submitted.

For example, if I have a form with the input variable "Username", why should I bother to refer to this as $_POST['Username'] rather than $Username?
Dec 18 '07 #5
absentmindedjwc
3 New Member
oh, and absentmindedjwc, the contact me form on your website is susceptible to XSS injection. ;)
I noticed, :/

a variant of what I have currently on the site, and what I posted here (among a couple other things) are going into the redesign of my site. Using JUST what I have up there clears up every XSS injection that I threw at it...

BTW: closed the hole ;)
Dec 18 '07 #6
absentmindedjwc
3 New Member
What is the advantage of using the _GET and _POST arrays versus the variables that get automatically created when the form is submitted.

For example, if I have a form with the input variable "Username", why should I bother to refer to this as $_POST['Username'] rather than $Username?
either I am misunderstandin g your question, or you are misunderstandin g how GET and POST arrays work... when you push submit, the data gets sent to the server as either a GET or a POST, depending on the method of the form. $username will not be set unless you set it, the variable $_POST['username'], on the other hand, will be set.
Dec 18 '07 #7
pbmods
5,821 Recognized Expert Expert
What is the advantage of using the _GET and _POST arrays versus the variables that get automatically created when the form is submitted.

For example, if I have a form with the input variable "Username", why should I bother to refer to this as $_POST['Username'] rather than $Username?
Heya, RalphSlate.

You're talking about register_global s, which is being discontinued in PHP 6.

register_global s is convenient, but it actually encourages you to write insecure code. Have a look at this page.
Dec 19 '07 #8
Atli
5,058 Recognized Expert Expert
I completely agree with you about the data validation and sanitation.
All data you received using HTML forms, such as the one discussed in the article, should always, without exception, be considered dangerous until proven safe.

There are of course many different methods of validating and securing user input, each with it's uses and limitations. PHP does provide a few very handy functions that help deal with user input, such as the htmlspecialchar s function and the htmlentities function.

To be as safe as possible, it would be best to go with a "white-list" approach, which essentially goes through the input and removes all characters that have not be approved.

The opposite method would be a "black-list" approach, which would remove only those characters you have listed. This is naturally less secure but does not run the risk of removing excess data.

As the the question of $_POST['var'] vs $var...

As pbmods mentioned, the difference there is that the second variable is created by PHP if you have the register_global s directive enabled in the PHP configuration.

As of PHP 5, this is disabled by default and if I am not mistaken this option will be completely removed in PHP 6, as it does create a possible security risk. Details on that can be found in the link pbmods posted.
Dec 26 '07 #9
nstone
1 New Member
As of PHP 5, this is disabled by default and if I am not mistaken this option will be completely removed in PHP 6, as it does create a possible security risk. Details on that can be found in the link pbmods posted.
I always use extract($POST); as an early line in my scripts. It reads all $POST[variables] into $variables. The only caveat is to avoid using the same names for locally declared variables.
Mar 18 '08 #10

Sign in to post your reply or Sign up for a free account.

Similar topics

3
6792
by: Ian Griffiths | last post by:
I'm having issues witht the code I'm writing. I've dealt with SQL before, although only for extracting data, not adding it to the database. I've been intensively learning ASP/ADO over the past week or so. I have a HTML form that posts data to the following ASP file: <HTML> <HEAD> <TITLE>Sight Bites</TITLE> </HEAD>
0
2458
by: Matt | last post by:
My problem is to allow ASP to interact with JSP, and I pass JavaScript object in my approach, but I wonder if it will work in network, not just in local machine. For testing purposes, the following are page1.html and page2.html that use Array JavaScript object to pass data back and forth. page1.html is able to transfer data to page2.html, but page2.html has trouble to transfer data back to page1.html.
8
2518
by: yawnmoth | last post by:
i've seen a few html forms, whose textarea's have text in them, and which reset when you click in that textarea... how can i do this? also, say my form has two different variables (namse, or whatever), but that these variables aren't supposed to be passed together. ie. i only want x=something or y=something, but not x=something&y=something... how would i do this, without creating a whole new form (which seems to, atleast in ie, create...
2
2530
by: ozymandias | last post by:
I'm wondering if anyone here knows anything about using HTML forms with Microsoft Access. Specifically, I'm hoping to learn how to create an HTML form that allows users to populate an Access database when they click the 'submit' button. Is this even possible with Access? Anyone know how to do it? Thanks, Sage
6
5367
by: juky | last post by:
Hi all, I have 2 applications one in VB.net and the other in VC6. I need to pass data between them. How can I do it? what's the best way to implement such communication ? Any comment will be appreciate. Thank you. Juky
3
2497
by: assgar | last post by:
I might not be appoaching this correctly because it is not working. I have a function that displays a dynamic form for the user to make one or more selections. There are 5 arrays to collect the 5 pieces of information relelated to each dynamically created rows. I am trying to return the collected information in the 5 arrays to the process so I can use it to insert into a database. <?php /****FORM*****/
11
11811
by: captainmerton | last post by:
I am new to PHP but have been using it for about a week. I'm having no trouble using html forms to recall data from a MySQL table when the input type=text but i cant seem to find a way of recalling the data from the MySQL table when the input type=hidden. Here's the form code: <?php $action = $_REQUEST; $epic = $_REQUEST; ?> <TR> <TD>
6
2271
by: RobcPettit | last post by:
Hi, Im using two forms in the same application. Main form opens, click menu for secend form. This is a log on form, used to get three bits of info. Up to this point Im ok. I then want to send this info back to form one for it to process. My question is how do I call the relevent code on form1. If I do all the coding in one form only, ie logging on etc, all works ok. regards robert
0
9893
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
11001
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
10722
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9500
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7894
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7069
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5919
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4544
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
3175
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.