Quakenet/#php Tutorial

Note: If you opened this page from an external URL pay attention that all chapters are linked together. Be sure you also read all prior chapters of this tutorial, otherwise you will miss relevant content explained before.

Forms

  1. What are forms?
  2. Forms in html documents
  3. Proceed in php
  4. Text input fields
  5. Drop-down lists
  6. Radio and check boxes
  7. Trust noone
  8. Magic Quotes

1. What are forms?

Many internet pages provide areas which can be filled text or selections can be made. After that there is a button typically called Submit. These areas are called forms. These entered informations are send to a php script and this script use this values like adding a new user or news.

2. Forms in html documents

Forms are created with the <form> tag. The action attribute points to the url where the form is send to, in your case your php script. This script is opened with the entered data so the browser redirects to the php script.

You can specific with the method attribute how the data are send to the php script. If this value is get the data are send over the url, like a simple request to index.php?section=news. The values are added to url. As this can result in a long url its more common for forms to use the value post. With this value the form data is send hidden inside the HTTP request. The data itself are readable (they are not encrypted somehow) but are not visible to the user. So the form is e.g. just send to http://www.example.com/login.php but the form date are transmitted hidden.

3. Proceed in php

To access the form data in php you must give the form fields in your html code a name with the name attribute. Inside your php script the form data are saved in the superglobal arrays $_GET or $_POST, depending on which method is used. The index of the array field is the same as the name in the form field, the value is filled from the given form field.

The name of the form field can also be an array field. If the attribute name="foobar[5]" is used php will create a corresponding array field $_POST['foobar'][5]. If the index is omitted (name="foobar[]") an array field is created like $array[] = 'value';. This is used for checkboxes which will be stored in one array.

4. Text input fields

For one line input field you can use the html tag <input>. For simple text inputs use the attribute type="text", for passwords use type="password". Note that passwords are send not encrypted, the form field just shows * instead of the actually password. If you want multi line input fields use <textarea> instead.

<form action="script.php" method="post">
    <fieldset>
        <legend>Enter login</legend>
        <label>Username: <input type="text" name="Username" /></label>
        <label>Password: <input type="password" name="Pass" /></label>
        <input type="submit" name="formaction" value="Login" />
    </fieldset>
</form>

If you send this form php will get the folloing array fields.

<?php
$_POST
['Username'] = /* input from the Username field */;
$_POST['Pass'] = /* input from the Pass field */;
$_POST['formaction'] = 'Login'// set with the value="" attribute
?>

5. Drop-down lists

Drop-down lists are created with the <select> and <option> tags. You should add [] after the name of the drop-down list if you want to use the attribute multiple="multiple". This way all selected entries are saved in an array.

<form action="script.php" method="post">
    <fieldset>
        <legend>Form for Foobar</legend>
        <label>Name: <select name="Username">
            <option value="1">Blabli</option>
            <option value="4">Testuser</option>
        </select></label>
        <label>Rechte: <select name="Rights[]" multiple="multiple" size="5">
            <option value="1">News</option>
            <option value="2">Forum</option>
            <option value="3">Guestbook</option>
        </select></label>
        <input type="submit" name="formaction" value="Send" />
    </fieldset>
</form>

If you select the user Blabli and select the rights News and Guestbook the following array fields will be created.

<?php
$_POST
['Username'] = "1";
$_POST['Rights'][] = "1";
$_POST['Rights'][] = "3";
$_POST['formaction'] = "Send";
?>

6. Radio and check boxes

For radio and check boxes you can use the <input> tag. Depends on what you want you must use type="radio" or type="checkbox". The checkboxes or radiobuttons which belongs together must habe the same name. For checkboxes the name should end with [] to get an array of all selected checkboxes.

<form action="script.php" method="post">
    <fieldset>
        <legend>Select pizza</legend>
        <fieldset>
            <legend>Size</legend>
            <label><input type="radio" name="Size" value="20" /> small</label>
            <label><input type="radio" name="Size" value="24" /> medium</label>
            <label><input type="radio" name="Size" value="30" /> big</label>
        </fieldset>
        <fieldset>
            <legend>Topping</legend>
            <label><input type="checkbox" name="Topping[]" value="salami" /> salami</label>
            <label><input type="checkbox" name="Topping[]" value="thunfish"> thunfish</label>
        </fieldset>
        <input type="submit" name="formaction" value="Order" />
    </fieldset>
</form>

If you order a medium pizza with salami and thunfish you will get the following array fields.

<?php
$_POST
['Size'] = "24";
$_POST['Topping'][] = "salami";
$_POST['Topping'][] = "thunfish";
$_POST['formaction'] = "Order";
?>

If you dont specific a value for radio or check boxes the value will be on. If a check box is not selected its not send at all.

7. Trust noone

As like GET variables the form data is from external source. These can be filled with every value, even with javascript code. You must check the value inside your php script. Use the isset function to check if the form data exists.

<?php
if (!isset($_POST['name'], $_POST['password'])) {
    die (
'Use only forms from the homepage.');
}
?>

The content can always be checked with string functions.

8. Magic Quotes

If you send text data from a form to a php script it can be possible that the data is changed automatically by your php script. The text A sample text with one ' and one " will be converted to A sample text with one \' and one \". This is called Magic Quotes. It was implemented to help beginners which want to save these values inside a database.

But this may be get annoying, at least if you get outputs like A sample text with one \\\\\\' and one \\\\\\". So we delete this backslashes with stripslashes if magic quotes is activated on your server.

<?php
if (get_magic_quotes_gpc()) {
    
$in = array(&$_GET, &$_POST, &$_COOKIE);
    while (list(
$k,$v) = each($in)) {
        foreach (
$v as $key => $val) {
            if (!
is_array($val)) {
                
$in[$k][$key] = stripslashes($val);
                continue;
            }
            
$in[] =& $in[$k][$key];
        }
    }
    unset(
$in);
}
?>

You dont need to understand this code from http://talks.php.net/show/php-best-practices/26, it deletes all backslashes from $_GET, $_POST and $_COOKIE which are added throught magic quotes.

Questions about the chapter

No questions

Back to Next to
Copyright © to the OPs of #php/QuakeNet Valid XHTML 1.0 Strict Valid CSS!