Processing Forms with PHP

OBJECTIVES

In this unit, the student will learn:
  • how to use PHP to process data from a web form
    • accessing values of form elements
    • dealing with checkboxes
    • dealing with multiple-valued elements
  • how to create an all-in-one PHP document that both generates and processes the form

Processing a form using PHP

Three pre-defined variables contain form data:
  • $_GET : contains data from GET method
  • $_POST : contains data from POST method
  • $_REQUEST : contains data from either method
These are in the form of associative arrays:
  • $_REQUEST[name] contains value of form element named name
The following example uses an HTML form and a PHP processor.
Example (live)  HTML (form)  PHP Code (processor)

HTML injection

Beware when processing form data:
  • Don't assume form data are what you expect.
    • This is true even if you validate form data in JavaScript.
    • Anyone can send data from their own form to your form processor.
      • or even without a form, using GET (see next slide).
  • Always validate or escape any content that appears in result.
  • HTML injection attack:
    • hacker sends victim crafted link to your web site
    • victim sees hacker's content in your page.
See example here.

Faking a GET submission

  • For debug, often useful to send test data to form processor quickly.
  • If it accepts GET method, simulate form submission by adding
    ?request-string to processor URL.
  • The request-string is of the form of a series of name=value pairs separated by &.
  • If string contains blank spaces, these are substituted by + signs.
  • Any other special characters are URL-encoded
    • e.g. an actual + sign would be replaced by hex code %2B
    • Use man ascii to find codes as needed
Try it:
http://www.dsm.fordham.edu/cgi-bin/form-processor.cgi?foo=bar

All-in-one PHP file

It is often convenient to have the same PHP document
  • produce the form
  • process the form
Existence of $_GET, $_POST, or $_REQUEST can be tested to determine which to do. Basic structure:
<?php if( $_POST ) { ?>
HTML and PHP to process form data
<?php } else { ?>
HTML and PHP to create form
<?php } ?>

HTML validation

  • With all-in-one file, W3C validator will see only the form part.
  • How to validate the response?
    • If page accepts GET requests, submit URL with query-string to validator:
      http://www.dsm.fordham.edu/~janeuser/project8.php?foo=bar
    • Or, if not:
      1. Visit page, submit form
      2. Use View Source of browser to see HTML of response
      3. Select All, Copy
      4. Visit the validator, select Validate by Direct Input
      5. Paste into box, click Check

Checkboxes

Note that when the checkbox is not checked:
  • $_POST['licenseOK'] does not appear in list.
    • element is not sent with POSTed data
    • Same problem can occur with multiple selection menus if no option selected.
  • Value is treated as undefined: see error log for warning.
    • it is an error to use it, e.g. print($_POST['licenseOK'])
    • this error is relatively harmless, but...
Deal with this by testing whether the value is defined:
if( isset($_POST['licenseOK']) )
{ /* checkbox is checked */
...

Self-configuring form

Previous example illustrates a common technique for all-in-one PHP form/processor documents:
  • Set form action attribute to $_SERVER['SCRIPT_NAME']
    • then form will be submitted to PHP script that generates it
    • no need to hard-code form file name into source
    • insurance in case you decide to rename it later
  • Alternative: action="#" implies form will be submitted to same URL
    • Can't use just action="" since empty URL is invalid
    • Could omit action attribute altogether for same effect but better to show not an oversight

Multiple-valued elements

Note that if input fields have multiple values (e.g. select field with attribute multiple):
  • These arrive with only the last chosen value.
    • Fix by naming the field with square brackets at the end, name="somename[]"
    • Then it arrives as an array

Multiple-valued elements, cont'd

Technically square brackets are illegal in HTML element names. Nonetheless,
  • the W3C validator accepts them
  • this is the standard solution for PHP form processing
    • but not for other methods of form processing, such as CGI with Perl
    • use only when processing form with PHP

Another example

  • OK, just for fun, here is an example that shows how a PHP script can respond to form data.
  • This accepts some user text and presents it in a page with style selected by various form inputs.
  • View page source to see the style sheet it produces.
    • Notice that the script avoids exposing any un-escaped user input in the HTML or CSS it produces.