Zend PHP 7 Certification – Web Features – Forms

This post covers the Forms section of the Web Features chapter when studying for the Zend PHP 7 Certification.

One of the most powerful features of PHP is the way it handles HTML forms. The basic concept that is important to understand is that any form element will automatically be available to your PHP scripts.

A simple HTML form may look like the below example.

<form action="foo.php" method="post">
    Name:  <input type="text" name="username" /><br />
    Email: <input type="text" name="email" /><br />
    <input type="submit" name="submit" value="Submit me!" />

As of PHP version 7.1, there are currently two ways that the data can be accessed. For example, to access the username form field data, you could use the following lines.

echo $_POST['username'];
echo $_REQUEST['username'];

When the user fills in this form and hits the submit button, the foo.php page is called. In this file you would write something like the following.

echo "Hello htmlspecialchars($_POST['username']), your email address is htmlspecialchars($_POST['email'])";

We can retrieve the form variables using the $_POST superglobal as our form’s method attribute is post. Note that the name attribute of the input form tags are what’s used when using $_POST to retrieve the variables.

The htmlspecialchars() function makes sure any characters that are special in HTML are properly encoded so people can’t inject HTML tags or Javascript into your page.

The <form> tag has a few useful attributes that can be observed.

  • Action – Specifies an address (url) where to submit the form (default: the submitting page).
  • Method – Specifies the HTTP method used when submitting the form (default: GET).
  • Name – Specifies a name used to identify the form (for DOM usage: document.forms.name).
  • Enctype – Specifies the encoding of the submitted data (default: is url-encoded).
  • Novalidate – Specifies that the browser should not validate the form.

The enctype attribute by default is set to application/x-www-form-urlencoded. This means that all characters are encoded before sent (spaces are converted to “+” symbols, and special characters are converted to ASCII HEX values).

Other enctypes include:

  • multipart/form-data – No characters are encoded. This value is required when you are using forms that have a file upload control
  • text/plain – Spaces are converted to “+” symbols, but no special characters are encoded.

Form inputs where the name attribute contains dots and spaces will get converted into underscores when using either the $_GET, $_POST or $_REQUEST superglobals.

<form method="post">
    <input type="text" name="some.field" />
    <input type="text" name="some other field" />
    <input type="submit" value="Submit me!" />

    echo $_POST['some_field']; // Outputs the value of the "some.field" input
    echo $_POST['some_other_field']; // Outputs the value of the "some other field" input

To get your <form> result sent as an array to your PHP script you name the <input>, <select> or <textarea> elements like the below code example shows.

<input name="MyArray[]" />
<input name="MyArray[]" />
<input name="MyArray[]" />
<input name="MyArray[]" />

Notice the square brackets after the variable name, that’s what makes it an array. You can group the elements into different arrays by assigning the same name to different elements.

<input name="MyArray[]" />
<input name="MyArray[]" />
<input name="MyOtherArray[]" />
<input name="MyOtherArray[]" />

This produces two arrays, MyArray and MyOtherArray, that gets sent to the PHP script. It’s also possible to assign specific keys to the arrays.

<input name="AnotherArray[]" />
<input name="AnotherArray[]" />
<input name="AnotherArray[email]" />
<input name="AnotherArray[phone]" />

The AnotherArray array will now contain the keys 0, 1, email and phone. You can then retrieve the data by using $_POST['AnotherArray'][0] for example.

The <input type="image"> is a graphical submit button. You must use the src attribute to define the source of the image and the alt attribute to define alternative text. The height and width attributes are used to define the size of the image in pixels.

<input type="image" src="https://mdn.mozillademos.org/files/2917/fxlogo.png" height="60" width="60" />

As mentioned above, the $_GET, $_POST, $_REQUEST superglobals are used to values from a form. But which one should you use?

$_GET – You should use $_GET when someone is requesting data from your application. Information sent from a form with the GET method is visible to everyone (all variable names and values are displayed in the URL). GET also has limits on the amount of information to send. The limitation is about 2000 characters. However, because the variables are displayed in the URL, it is possible to bookmark the page. This can be useful in some cases.

GET may be used for sending non-sensitive data.

Note: GET should never be used for sending passwords or other sensitive information!

$_POST – You should use $_GET when someone is requesting data from your application. Information sent from a form with the POST method is invisible to others (all names/values are embedded within the body of the HTTP request) and has no limits on the amount of information to send.

$_REQUEST – Merges data from $_GET, $_POST and cookie info. Not recommended.

It is worth noting that the choice over the superglobals (e.g. POST, GET) does not necessarily make the request “secure”. Any information that is not transmitted over an encrypted channel (using SSL, i.e. HTTPS) is transmitted in plain text.

For secure transport of sensitive/private information over HTTP consider using SSL as this prevents eavesdropping of the information transmitted over HTTP.

Note: This article is based on PHP version 7.1.