Scribd
Upload
96 views

Form Processing in PHP: Dr. Charles Severance

Uploaded by

Seliwati Ginting
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
96 views

Form Processing in PHP: Dr. Charles Severance

Uploaded by

Seliwati Ginting
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 49

Form Processing in PHP

Dr. Charles Severance


www.wa4e.com

http://www.wa4e.com/code/forms
http://www.wa4e.com/code/forms.zip
PHP Global Variables
• Part of the goal of PHP is to make interacting with HTTP and
HTML as easy as possible.
• PHP processes the incoming HTTP request based on the
protocol specifications and drops the data into various super
global variables (usually arrays).
(Review from Arrays)

http://www.wa4e.com/code/arrays/get-01.php
Time Browser Web Server Database Server
D
Apache
O get-01.php?x=2 static MySql
Parse files
M Request
Parse
Response $_GET
PHP php
code

ind.php
JavaScrip
t

RRC/HTTP SQL
Forms – User Input / Action
<p>Guessing game...</p>
<form>
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"/></p>
<input type="submit"/>
</form>

http://www.wa4e.com/code/forms/form1.php
form1.php

Forms Submit Data


<p>Guessing game...</p>
<form>
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"/></p>
<input type="submit"/>
</form>
form2.php
<p>Guessing game...</p>
<form>
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"/></p>
<input type="submit"/>
</form>
<pre>
$_GET:
<?php
print_r($_GET);
?>
</pre>
GET and POST with Forms
Time Browser Web Server Database Server
D
Apache
O static MySql
Parse
M Request
files

Parse
Response $_POST
PHP php
code

form1.php
JavaScrip
t

RRC/HTTP SQL
form3.php
<p>Guessing game...</p>
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" size="40" id="guess"/></p>
<input type="submit"/>
</form>
<pre>
$_POST:
<?php
print_r($_POST);
?>
$_GET:
<?php
print_r($_GET);
?>
</pre>
Forms GET vs. POST

Two ways the browser can send parameters to the web server
• GET - Parameters are placed on the URL which is retrieved.
• POST - The URL is retrieved and parameters are appended to the
request in the the HTTP connection.
Passing Parameters to The Server
GET /form1.php?guess=42
Accept: text/html
Web Server User-Agent: Lynx/2.4 libwww/2.14

HTTP POST /form3.php


Request Accept: text/html
User-Agent: Lynx/2.4 libwww/2.14
Content-type: application/x-www-form-urlencoded
Content-length: 13
Browser
guess=42

<input type="text" name="guess" id="yourid" />


Time Browser Web Server Database Server
D
Apache
O static MySql
Parse
M Request
files

Parse
Response $_POST
PHP php
code

form3.php
JavaScrip
t

RRC/HTTP SQL
Rules of the POST/GET Choice
• POST is used when data is being created or modified.

• GET is used when your are reading or searching things.

• Web search spiders will follow GET URLs but generally not POST
URLs.

• GET URLs should be “idempotent” - the same URL should give the
“same thing” each time you access it.

• GET has an upper limit of the number of bytes of parameters and


values (think about 2K).
Form Input Types
Other Input Types
• Text
• Password
• Radio Button
• Check Box
• Select / Drop-Down
• Textarea

http://www.wa4e.com/code/forms/more.php
more.php
<p>Many field types...</p>
<form method="post" action="more.php">
<p><label for="inp01">Account:</label>
<input type="text" name="account" id="inp01" size="40" ></p>
<p><label for="inp02">Password:</label>
<input type="password" name="pw" id="inp02" size="40" ></p>
<p><label for="inp03">Nick Name:</label>
<input type="text" name="nick" id="inp03" size="40" ></p>

$_POST:
Array
(
[account] => Beth
[pw] => 12345
[nick] => BK
[when] => pm
...
)
more.php
<p>Preferred Time:<br/>
<input type="radio" name="when" value="am">AM<br>
<input type="radio" name="when" value="pm" checked>PM</p>

$_POST:
Array(
...
[nick] => BK
[when] => pm
[class] => si502
...
)
<p>Classes taken:<br/>
<input type="checkbox" name="class1" value="si502" checked>
SI502 - Networked Tech<br>
<input type="checkbox" name="class2" value="si539">
SI539 - App Engine<br>
<input type="checkbox" name="class3">
SI543 - Java<br> </p>

$_POST: $_POST:
Array( Array(
... ...
[when] => pm [when] => pm
[class1] => si502 [class3] => on
[soda] => 0 [soda] => 0
... ...
) )
<p><label for="inp06">Which soda: more.php
<select name="soda" id="inp06">
<option value="0">-- Please Select --</option>
<option value="1">Coke</option>
<option value="2">Pepsi</option>
<option value="3">Mountain Dew</option>
<option value="4">Orange Juice</option>
<option value="5">Lemonade</option>
</select>
</p>

$_POST:
Array(
...
[class] => si502
[soda] => 0
[snack] => peanuts
...
The values can be any string, but numbers are used quite often. )
more.php
<p><label for="inp07">Which snack:
<select name="snack" id="inp07">
<option value="">-- Please Select --</option>
<option value="chips">Chips</option>
<option value="peanuts" selected>Peanuts</option>
<option value="cookie">Cookie</option>
</select>
</p>

$_POST:
Array(
...
[class] => si502
[soda] => 0
[snack] => peanuts
...
)
more.php
<p><label for="inp08">Tell us about yourself:<br/>
<textarea rows="10" cols="40" id="inp08" name="about">
I love building web sites in PHP and MySQL.
</textarea>
</p>

$_POST:
Array(
...
[about] => I love building web sites
in PHP and MySQL.
[dopost] => Submit
...
)
more.php
<p><label for="inp09">Which are awesome?<br/>
<select multiple="multiple" name="code[]" id="inp09">
<option value="python">Python</option>
<option value="css">CSS</option>
<option value="html">HTML</option>
<option value="php">PHP</option>
</select> $_POST:
Array(
...
[code] => Array
(
[0] => css
[1] => html
)
[dopost] => Submit
...
)
more.php
<p>
<input type="submit" name="dopost" value="Submit"/>
<input type="button"
onclick="location.href='http://www.wa4e.com/'; return false;"
value="Escape">
</p>

$_POST:
Array(
...
[dopost] => Submit
...
)

On submit input types, the text is both in the UI and in $_POST so we tend to look for the key, not the value.
HTML5 Input Types
• HTML5 defines new input types
• Not all browsers support all input types
• They fall back to type="text"
• http://www.w3schools.com/html/html5_form_input_types.asp
Select your favorite color:
<input type="color" name="favcolor" value="#0000ff"><br/>
Birthday:
<input type="date" name="bday" value="2013-09-02"><br/>
E-mail:
<input type="email" name="email"><br/>
Quantity (between 1 and 5):
<input type="number" name="quantity"
min="1" max="5"><br/>
Add your homepage:
<input type="url" name="homepage"><br>
Transportation:
<input type="flying" name="saucer"><br>

Validation happens when you press submit.

http://www.wa4e.com/code/forms/html5.php
Data Security / Integrity /
Validation
Persisting Form Data
• When we submit forms and there is an
error, we just expect that the data will
remain in the form when the page is
redisplayed.
• The application needs to make sure to
put the previous values back into the
form.
<?php
$oldguess = isset($_POST['guess']) ? $_POST['guess'] : '';
?>
<p>Guessing game...</p>
“Persisting”
<form method="post">
<p><label for="guess">Input Guess</label> Form Data
<input type="text" name="guess" id="guess" Across
size="40" value="<?= $oldguess ?>"/></p> Requests
<input type="submit"/>
</form>
form4.php

<?= $oldguess ?>


<?php echo($oldguess); ?>
Review: Ternary Operation
Hygiene Alert!
What happens when we use an HTML character in a form field value?
form4.php
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess
size="40" "value=""><b>DIE DIE</b>" /></p>
<input type="submit"/>
</form>
To The Rescue: htmlentities()
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"
size="40" value="<?= htmlentities($oldguess) ?>"/></p>
<input type="submit"/>
</form>

form5.php
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"
size="40" value="<?= htmlentities($oldguess) ?>"/></p>
<input type="submit"/>
</form>

<input type="text" name="guess" id="guess"


value="&quot;&gt;&lt;b&gt;DIE DIE&lt;/b&gt;" /></p>
In-Server Data Validation
Time Browser Web Server Database Server
D
Apache
O static MySql
Parse
M Request
files

Parse
Response $_POST
PHP php
code

form3.php
JavaScrip
t

RRC/HTTP SQL
Incoming Data Validation
Making sure all user data is present and the correct format before
proceeding
• Non-empty strlen($var) > 0
• A number is_numeric($var)
• An email address strpos($var, '@') > 0
• Or filter_var($var, FILTER_VALIDATE_EMAIL) !== false
• ....
http://www.wa4e.com/code/forms/guess.php?guess=7
http://www.wa4e.com/code/forms/guess.php?guess=200
Convention: Model View
Controller (MVC)
Model-View-Controller
• A model that defines the elements of a
web application and how they interact
• View – Produces output
• Model – Handles data
• Controller – Orchestration / Routing

https://en.wikipedia.org/wiki/Model-view-controller
Pattern: Processing POST Data
<?php
$guess = '';
$message = false;
Completely process
• incoming data (if
if ( isset($_POST['guess']) ) {

Many patterns for


// Trick for integer / numeric parameters
$guess = $_POST['guess'] + 0;
if ( $guess == 42 ) {

any) - produce no
$message = "Great job!";

handling POST
} else if ( $guess < 42 ) {
$message = "Too low";
} else {
$message = "Too high...";

data ?>
}

<html>
}
output
<head>


<title>A Guessing game</title>
</head>

No “rules”, just
<body style="font-family: sans-serif;">
<p>Guessing game...</p>

Produce the page


<?php
if ( $message !== false ) {

“suggestions”
echo("<p>$message</p>\n");
}

output
?>
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
<?php echo 'value="' . htmlentities($guess) . '"';
?>
/></p>
<input type="submit"/>
</form>
</body>

What about frameworks? guess_mvc.php


<?php
$oldguess = '';
$message = false;
if ( isset($_POST['guess']) ) {
// Trick for integer / numeric parameters
$oldguess = $_POST['guess'] + 0;
if ( $oldguess == 42 ) {
Model $message = "Great job!";
} else if ( $oldguess < 42 ) {
$message = "Too low";
} else {
$message = "Too high...";
}
}
?>
<html>
<head>
Context
<title>A Guessing game</title>
</head>
Controller
<body style="font-family: sans-serif;">
<p>Guessing game...</p>
<?php
if ( $message !== false ) {
echo("<p>$message</p>\n");

View ?>
}

<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
value="<?= htmlentities($oldguess) ?>"/></p>
<input type="submit"/>
</form>
</body>

guess_mvc.php
<?php
$oldguess = '';
$message = false;
if ( isset($_POST['guess']) ) {
// Trick for integer / numeric parameters
$oldguess = $_POST['guess'] + 0;
if ( $oldguess == 42 ) {
No $message = "Great job!";
} else if ( $oldguess < 42 ) {

HTML $message = "Too low";


} else {
$message = "Too high...";
}
}
?>
<html>
<head>
Context
<title>A Guessing game</title>
</head>
Controller
<body style="font-family: sans-serif;">
<p>Guessing game...</p>
<?php
if ( $message !== false ) {
echo("<p>$message</p>\n");

No ?>
}

<form method="post">
Database <p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
value="<?= htmlentities($oldguess) ?>"/></p>
<input type="submit"/>
</form>
</body>

guess_mvc.php
<?php
$guess = '';
$message = false; <?php
if ( isset($_POST['guess']) ) {
// Trick for integer / numeric parameters $oldguess = '';
$guess = $_POST['guess'] + 0;
if ( $guess == 42 ) { $message = false;
$message = "Great job!";
} else if ( $guess < 42 ) { if ( isset($_POST['guess']) ) {
$message = "Too low";
} else { // Nifty trick
$message = "Too high...";
} $oldguess = $_POST['guess'] + 0;
}
?> if ( $oldguess == 42 ) {
<html>
<head> $message = "Great job!";
<title>A Guessing game</title>
</head>
<body style="font-family: sans-serif;">
} else if ( $oldguess < 42 ) {
<p>Guessing game...</p> $message = "Too low";
<?php
if ( $message !== false ) { } else {
echo("<p>$message</p>\n");

?>
} $message = "Too high...";
<form method="post"> }
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
value="<?= htmlentities($oldguess) ?></p>
}
<input type="submit"/> <input type="submit"/> ?>
</form>
</body> <html> ...
guess_mvc.php
<?php
$guess = ''; ...
$message = false;
if ( isset($_POST['guess']) ) {
?>
// Trick for integer / numeric parameters
$guess = $_POST['guess'] + 0;
<html>
if ( $guess == 42 ) { <head>
$message = "Great job!";
} else if ( $guess < 42 ) { <title>A Guessing game</title>
$message = "Too low";
} else {
</head>
}
$message = "Too high..."; <body style="font-family: sans-serif;">
} <p>Guessing game...</p>
?>
<html> <?php
<head>
<title>A Guessing game</title>
if ( $message !== false ) {
</head>
<body style="font-family: sans-serif;">
echo("<p>$message</p>\n");
<p>Guessing game...</p> }
<?php
if ( $message !== false ) { ?>
echo("<p>$message</p>\n");
}
<form method="post">
?>
<form method="post">
<p><label for="guess">Input Guess</label>
<p><label for="guess">Input Guess</label> <input type="text" name="guess" id="guess" size="40"
<input type="text" name="guess" id="guess" size="40"
value="<?= htmlentities($oldguess) ?></p> value="<?= htmlentities($oldguess) ?>"></p>
<input type="submit"/> <input type="submit"/>
</form>
<input type="submit"/>
</body> </form>
</body>
<?php
$oldguess = '';
$message = false;
if ( isset($_POST['guess']) ) {
// Nifty trick
$oldguess = $_POST['guess'] + 0;
if ( $oldguess == 42 ) {
$message = "Great job!";
} else if ( $oldguess < 42 ) {
$message = "Too low";
} else {
$message = "Too high...";
}
}
?>
<html> ...

Note: This code is a little sloppy in terms of its data validation. guess_mvc.php
<html>
<head>
<title>A Guessing game</title>
</head>
<body style="font-family: sans-serif;">
<p>Guessing game...</p>
<?php
if ( $message !== false ) {
echo("<p>$message</p>\n");
}
?>
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
value="<?= htmlentities($oldguess) ?>"></p>
<input type="submit"/>
</form>
</body> guess_mvc.php
Summary
• Forms, $_GET and $_POST
• Form fields
• New form fields in HTML5
• Sanitizing HTML
• Data Validation
• Model-View-Controller
Acknowledgements / Contributions
These slides are Copyright 2010- Charles R. Severance (www.dr- Continue new Contributors and Translators here
chuck.com) as part of www.wa4e.com and made available under a
Creative Commons Attribution 4.0 License. Please maintain this
last slide in all copies of the document to comply with the
attribution requirements of the license. If you make a change, feel
free to add your name and organization to the list of contributors on
this page as you republish the materials.

Initial Development: Charles Severance, University of Michigan


School of Information

Insert new Contributors and Translators here including names and


dates

You might also like