1. What are forms?
Many internet pages provide areas which can be filled text or selections can be made.
After that there is a button typically called Submit. These areas
are called forms. These entered informations are send to a
php script and this script use this values like adding a new user or news.
2. Forms in html documents
Forms are created with the <form> tag. The
action attribute points to the url where the form is send to, in your
case your php script. This script is opened with the entered data so the browser
redirects to the php script.
You can specific with the method attribute how the data are send to
the php script. If this value is get the data are send over the url,
like a simple request to index.php?section=news. The values are added to
url. As this can result in a long url its more common for forms to use the
value post. With this value the form data is send hidden inside
the HTTP request. The data itself are readable (they are not encrypted somehow) but
are not visible to the user. So the form is e.g. just send to
http://www.example.com/login.php but the form date are transmitted
hidden.
3. Proceed in php
To access the form data in php you must give the form fields in your html code a
name with the name attribute. Inside your php script the form data
are saved in the superglobal arrays $_GET or $_POST,
depending on which method is used. The index of the array field is the same
as the name in the form field, the value is filled from the given form field.
The name of the form field can also be an array field. If the attribute
name="foobar[5]" is used php will create a corresponding array
field $_POST['foobar'][5]. If the index is omitted (name="foobar[]")
an array field is created like $array[] = 'value';. This is used
for checkboxes which will be stored in one array.
4. Text input fields
For one line input field you can use the html tag <input>. For
simple text inputs use the attribute type="text", for passwords use
type="password". Note that passwords are send not encrypted, the
form field just shows * instead of the actually password. If you
want multi line input fields use <textarea> instead.
<form action="script.php" method="post">
<fieldset>
<legend>Enter login</legend>
<label>Username: <input type="text" name="Username" /></label>
<label>Password: <input type="password" name="Pass" /></label>
<input type="submit" name="formaction" value="Login" />
</fieldset>
</form>
If you send this form php will get the folloing array fields.
<?php
$_POST['Username'] = /* input from the Username field */;
$_POST['Pass'] = /* input from the Pass field */;
$_POST['formaction'] = 'Login'; // set with the value="" attribute
?>
5. Drop-down lists
Drop-down lists are created with the <select> and <option>
tags. You should add [] after the name of the drop-down list if you want to
use the attribute multiple="multiple". This way all selected entries are saved
in an array.
<form action="script.php" method="post">
<fieldset>
<legend>Form for Foobar</legend>
<label>Name: <select name="Username">
<option value="1">Blabli</option>
<option value="4">Testuser</option>
</select></label>
<label>Rechte: <select name="Rights[]" multiple="multiple" size="5">
<option value="1">News</option>
<option value="2">Forum</option>
<option value="3">Guestbook</option>
</select></label>
<input type="submit" name="formaction" value="Send" />
</fieldset>
</form>
If you select the user Blabli and select the
rights News and Guestbook the following
array fields will be created.
<?php
$_POST['Username'] = "1";
$_POST['Rights'][] = "1";
$_POST['Rights'][] = "3";
$_POST['formaction'] = "Send";
?>
6. Radio and check boxes
For radio and check boxes you can use the <input> tag.
Depends on what you want you must use type="radio"
or type="checkbox". The checkboxes or radiobuttons which belongs
together must habe the same name. For checkboxes the name should end
with [] to get an array of all selected checkboxes.
<form action="script.php" method="post">
<fieldset>
<legend>Select pizza</legend>
<fieldset>
<legend>Size</legend>
<label><input type="radio" name="Size" value="20" /> small</label>
<label><input type="radio" name="Size" value="24" /> medium</label>
<label><input type="radio" name="Size" value="30" /> big</label>
</fieldset>
<fieldset>
<legend>Topping</legend>
<label><input type="checkbox" name="Topping[]" value="salami" /> salami</label>
<label><input type="checkbox" name="Topping[]" value="thunfish"> thunfish</label>
</fieldset>
<input type="submit" name="formaction" value="Order" />
</fieldset>
</form>
If you order a medium pizza with salami and thunfish you will get the following array fields.
<?php
$_POST['Size'] = "24";
$_POST['Topping'][] = "salami";
$_POST['Topping'][] = "thunfish";
$_POST['formaction'] = "Order";
?>
If you dont specific a value for radio or check boxes the value will
be on. If a check box is not selected its not send at all.
7. Trust noone
As like GET variables the form data is from external source. These can be filled with every value, even with javascript code. You must check the value inside your php script. Use the isset function to check if the form data exists.
<?php
if (!isset($_POST['name'], $_POST['password'])) {
die ('Use only forms from the homepage.');
}
?>
The content can always be checked with string functions.
8. Magic Quotes
If you send text data from a form to a php script it can be possible that
the data is changed automatically by your php script. The text
A sample text with one ' and one " will be converted to
A sample text with one \' and one \". This is called
Magic Quotes. It was
implemented to help beginners which want to save these values inside a database.
But this may be get annoying, at least if you get outputs like
A sample text with one \\\\\\' and one \\\\\\".
So we delete this backslashes with stripslashes
if magic quotes is activated on your server.
<?php
if (get_magic_quotes_gpc()) {
$in = array(&$_GET, &$_POST, &$_COOKIE);
while (list($k,$v) = each($in)) {
foreach ($v as $key => $val) {
if (!is_array($val)) {
$in[$k][$key] = stripslashes($val);
continue;
}
$in[] =& $in[$k][$key];
}
}
unset($in);
}
?>
You dont need to understand this code from
http://talks.php.net/show/php-best-practices/26,
it deletes all backslashes from $_GET, $_POST and
$_COOKIE which are added throught magic quotes.
