This post covers the Forms section of the Web Features chapter when studying for the Zend PHP 7 Certification.
One of the most powerful features of PHP is the way it handles HTML forms. The basic concept that is important to understand is that any form element will automatically be available to your PHP scripts.
A simple HTML form may look like the below example.
<form action="foo.php" method="post"> Name: <input type="text" name="username" /><br /> Email: <input type="text" name="email" /><br /> <input type="submit" name="submit" value="Submit me!" /> </form>
As of PHP version 7.1, there are currently two ways that the data can be accessed. For example, to access the username
form field data, you could use the following lines.
<?php echo $_POST['username']; echo $_REQUEST['username'];
When the user fills in this form and hits the submit button, the foo.php
page is called. In this file you would write something like the following.
<?php echo "Hello htmlspecialchars($_POST['username']), your email address is htmlspecialchars($_POST['email'])";
We can retrieve the form variables using the $_POST
superglobal as our form’s method
attribute is post
. Note that the name
attribute of the input form tags are what’s used when using $_POST
to retrieve the variables.
The htmlspecialchars()
function makes sure any characters that are special in HTML are properly encoded so people can’t inject HTML tags or Javascript into your page.
The <form>
tag has a few useful attributes that can be observed.
The enctype
attribute by default is set to application/x-www-form-urlencoded
. This means that all characters are encoded before sent (spaces are converted to “+” symbols, and special characters are converted to ASCII HEX values).
Other enctypes include:
multipart/form-data
– No characters are encoded. This value is required when you are using forms that have a file upload controltext/plain
– Spaces are converted to “+” symbols, but no special characters are encoded.Form inputs where the name attribute contains dots and spaces will get converted into underscores when using either the $_GET
, $_POST
or $_REQUEST
superglobals.
<form method="post"> <input type="text" name="some.field" /> <input type="text" name="some other field" /> <input type="submit" value="Submit me!" /> </form> <?php echo $_POST['some_field']; // Outputs the value of the "some.field" input echo $_POST['some_other_field']; // Outputs the value of the "some other field" input
To get your <form>
result sent as an array to your PHP script you name the <input>
, <select>
or <textarea>
elements like the below code example shows.
<input name="MyArray[]" /> <input name="MyArray[]" /> <input name="MyArray[]" /> <input name="MyArray[]" />
Notice the square brackets after the variable name, that’s what makes it an array. You can group the elements into different arrays by assigning the same name to different elements.
<input name="MyArray[]" /> <input name="MyArray[]" /> <input name="MyOtherArray[]" /> <input name="MyOtherArray[]" />
This produces two arrays, MyArray
and MyOtherArray
, that gets sent to the PHP script. It’s also possible to assign specific keys to the arrays.
<input name="AnotherArray[]" /> <input name="AnotherArray[]" /> <input name="AnotherArray[email]" /> <input name="AnotherArray[phone]" />
The AnotherArray
array will now contain the keys 0, 1, email and phone. You can then retrieve the data by using $_POST['AnotherArray'][0]
for example.
The <input type="image">
is a graphical submit button. You must use the src
attribute to define the source of the image and the alt
attribute to define alternative text. The height and width attributes are used to define the size of the image in pixels.
<input type="image" src="https://mdn.mozillademos.org/files/2917/fxlogo.png" height="60" width="60" />
As mentioned above, the $_GET
, $_POST
, $_REQUEST
superglobals are used to values from a form. But which one should you use?
$_GET
– You should use $_GET
when someone is requesting data from your application. Information sent from a form with the GET method is visible to everyone (all variable names and values are displayed in the URL). GET also has limits on the amount of information to send. The limitation is about 2000 characters. However, because the variables are displayed in the URL, it is possible to bookmark the page. This can be useful in some cases.
GET may be used for sending non-sensitive data.
Note: GET should never be used for sending passwords or other sensitive information!
$_POST
– You should use $_GET
when someone is requesting data from your application. Information sent from a form with the POST method is invisible to others (all names/values are embedded within the body of the HTTP request) and has no limits on the amount of information to send.
$_REQUEST
– Merges data from $_GET
, $_POST
and cookie info. Not recommended.
It is worth noting that the choice over the superglobals (e.g. POST, GET) does not necessarily make the request “secure”. Any information that is not transmitted over an encrypted channel (using SSL, i.e. HTTPS) is transmitted in plain text.
For secure transport of sensitive/private information over HTTP consider using SSL as this prevents eavesdropping of the information transmitted over HTTP.
Note: This article is based on PHP version 7.1.