PHP allows you to automatically access PHP variables sent to your script from a standard HTML form. A HTML form will allow you to send form items in two ways. These match PHP’s arrays: $_GET and $_POST. You will be able to access the form item by its name attribute in the HTML form via the appropriate array as determined by the HTML form.
Below, is a very standard typical form:
In the code above, note the highlighted code. In particular, note the highlighted code on line one. action=”get” will tell the PHP script “process.php” (also determined in line one) to access the form items using $_GET. Changing action=”get” to action=”post” will tell PHP to access the form items via $_POST.
You will need to set each form item a unique name. This is shown on lines 2 and 3. In relation to the above form, to access the first_name input box, we would use $_GET[‘first_name’]. If the form action was changed to “post” we would use $_POST[‘first_name’]. Therefore, the name attribute you set the form item will become the array key for either $_GET or $_POST.
Below shows a sample PHP script on how to access the form items as shown above the URL.
- if (!empty($_GET[‘submit‘]))
- Â Â $first_name = (!empty($_GET[‘first_name’])) ? trim(stripslashes($_GET[‘first_name’])) ? ”;
- Â Â $last_name = (!empty($_GET[‘last_name’])) ? trim(stripslashes($_GET[‘last_name’])) ? ”;
- Â Â echo ‘Hello, ‘, htmlspecialchars($first_name), ‘ how are you today?. Â Our system indicates your surname is ‘, htmlspecialchars($last_name), ‘.’;
In the above code, we can see that the form items in the html form are the array keys that should be used with the appropriate method as set in the form. Line 3 simply checks to see if the submit button has been pressed, and if it has, the script grabs the form items using a ternary operator, assigns the form item an appropriate variable and echos the output.
Determining $_POST or $_GET
It is important to decide what method to use when implementing a form on your website.
$_GET items :
- Input names are passed to the URL and are therefore visible. As a result, you should not pass sensitive information using $_GET.
- Using $_GET allows a user to bookmark a page, which can easily be accessed at a later point.
- Only small variables should be passed to $_GET
- $_POST has no length limit, so you can pass very long variables to it.
- Form items are not passed in the URL and cannot be accessed by URL.
You can of course, use the $_REQUEST array which combines $_POST and $_GET items into one. However, it is recommended that if you set a method in a HTML form, you stick to that method. Keeping $_POST and $_GET separate increases security and lessons the likeliness of a security hole in your script.
Validation and Security
On form items, particularly with databases and using $_GET to access records and fields you should take care with security and be aware of SQL injection attacks. Additionally, you should validate all data before using it and possibel storing it. For example, the following validates an email address:
- Â Â Â Â preg_match(‘/^[a-z0-9&’.-_+]+@[a-z0-9-]+.([a-z0-9-]+.)*?[a-z]+$/is’, $email)Â
To conclude, form items are a very easy way of creating an interactive website, such as forums and guestbooks. However, you should take care when coding to ensure your website is not a target for a hacker.