Scribd
Upload
90 views

Form Processing in PHP: Dr. Charles Severance

Uploaded by

Seliwati Ginting
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
90 views

Form Processing in PHP: Dr. Charles Severance

Uploaded by

Seliwati Ginting
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 49

Form Processing in PHP

Dr. Charles Severance


www.wa4e.com

http://www.wa4e.com/code/forms
http://www.wa4e.com/code/forms.zip
PHP Global Variables
• Part of the goal of PHP is to make interacting with HTTP and
HTML as easy as possible.
• PHP processes the incoming HTTP request based on the
protocol specifications and drops the data into various super
global variables (usually arrays).
(Review from Arrays)

http://www.wa4e.com/code/arrays/get-01.php
Time Browser Web Server Database Server
D
Apache
O get-01.php?x=2 static MySql
Parse files
M Request
Parse
Response $_GET
PHP php
code

ind.php
JavaScrip
t

RRC/HTTP SQL
Forms – User Input / Action
<p>Guessing game...</p>
<form>
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"/></p>
<input type="submit"/>
</form>

http://www.wa4e.com/code/forms/form1.php
form1.php

Forms Submit Data


<p>Guessing game...</p>
<form>
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"/></p>
<input type="submit"/>
</form>
form2.php
<p>Guessing game...</p>
<form>
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"/></p>
<input type="submit"/>
</form>
<pre>
$_GET:
<?php
print_r($_GET);
?>
</pre>
GET and POST with Forms
Time Browser Web Server Database Server
D
Apache
O static MySql
Parse
M Request
files

Parse
Response $_POST
PHP php
code

form1.php
JavaScrip
t

RRC/HTTP SQL
form3.php
<p>Guessing game...</p>
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" size="40" id="guess"/></p>
<input type="submit"/>
</form>
<pre>
$_POST:
<?php
print_r($_POST);
?>
$_GET:
<?php
print_r($_GET);
?>
</pre>
Forms GET vs. POST

Two ways the browser can send parameters to the web server
• GET - Parameters are placed on the URL which is retrieved.
• POST - The URL is retrieved and parameters are appended to the
request in the the HTTP connection.
Passing Parameters to The Server
GET /form1.php?guess=42
Accept: text/html
Web Server User-Agent: Lynx/2.4 libwww/2.14

HTTP POST /form3.php


Request Accept: text/html
User-Agent: Lynx/2.4 libwww/2.14
Content-type: application/x-www-form-urlencoded
Content-length: 13
Browser
guess=42

<input type="text" name="guess" id="yourid" />


Time Browser Web Server Database Server
D
Apache
O static MySql
Parse
M Request
files

Parse
Response $_POST
PHP php
code

form3.php
JavaScrip
t

RRC/HTTP SQL
Rules of the POST/GET Choice
• POST is used when data is being created or modified.

• GET is used when your are reading or searching things.

• Web search spiders will follow GET URLs but generally not POST
URLs.

• GET URLs should be “idempotent” - the same URL should give the
“same thing” each time you access it.

• GET has an upper limit of the number of bytes of parameters and


values (think about 2K).
Form Input Types
Other Input Types
• Text
• Password
• Radio Button
• Check Box
• Select / Drop-Down
• Textarea

http://www.wa4e.com/code/forms/more.php
more.php
<p>Many field types...</p>
<form method="post" action="more.php">
<p><label for="inp01">Account:</label>
<input type="text" name="account" id="inp01" size="40" ></p>
<p><label for="inp02">Password:</label>
<input type="password" name="pw" id="inp02" size="40" ></p>
<p><label for="inp03">Nick Name:</label>
<input type="text" name="nick" id="inp03" size="40" ></p>

$_POST:
Array
(
[account] => Beth
[pw] => 12345
[nick] => BK
[when] => pm
...
)
more.php
<p>Preferred Time:<br/>
<input type="radio" name="when" value="am">AM<br>
<input type="radio" name="when" value="pm" checked>PM</p>

$_POST:
Array(
...
[nick] => BK
[when] => pm
[class] => si502
...
)
<p>Classes taken:<br/>
<input type="checkbox" name="class1" value="si502" checked>
SI502 - Networked Tech<br>
<input type="checkbox" name="class2" value="si539">
SI539 - App Engine<br>
<input type="checkbox" name="class3">
SI543 - Java<br> </p>

$_POST: $_POST:
Array( Array(
... ...
[when] => pm [when] => pm
[class1] => si502 [class3] => on
[soda] => 0 [soda] => 0
... ...
) )
<p><label for="inp06">Which soda: more.php
<select name="soda" id="inp06">
<option value="0">-- Please Select --</option>
<option value="1">Coke</option>
<option value="2">Pepsi</option>
<option value="3">Mountain Dew</option>
<option value="4">Orange Juice</option>
<option value="5">Lemonade</option>
</select>
</p>

$_POST:
Array(
...
[class] => si502
[soda] => 0
[snack] => peanuts
...
The values can be any string, but numbers are used quite often. )
more.php
<p><label for="inp07">Which snack:
<select name="snack" id="inp07">
<option value="">-- Please Select --</option>
<option value="chips">Chips</option>
<option value="peanuts" selected>Peanuts</option>
<option value="cookie">Cookie</option>
</select>
</p>

$_POST:
Array(
...
[class] => si502
[soda] => 0
[snack] => peanuts
...
)
more.php
<p><label for="inp08">Tell us about yourself:<br/>
<textarea rows="10" cols="40" id="inp08" name="about">
I love building web sites in PHP and MySQL.
</textarea>
</p>

$_POST:
Array(
...
[about] => I love building web sites
in PHP and MySQL.
[dopost] => Submit
...
)
more.php
<p><label for="inp09">Which are awesome?<br/>
<select multiple="multiple" name="code[]" id="inp09">
<option value="python">Python</option>
<option value="css">CSS</option>
<option value="html">HTML</option>
<option value="php">PHP</option>
</select> $_POST:
Array(
...
[code] => Array
(
[0] => css
[1] => html
)
[dopost] => Submit
...
)
more.php
<p>
<input type="submit" name="dopost" value="Submit"/>
<input type="button"
onclick="location.href='http://www.wa4e.com/'; return false;"
value="Escape">
</p>

$_POST:
Array(
...
[dopost] => Submit
...
)

On submit input types, the text is both in the UI and in $_POST so we tend to look for the key, not the value.
HTML5 Input Types
• HTML5 defines new input types
• Not all browsers support all input types
• They fall back to type="text"
• http://www.w3schools.com/html/html5_form_input_types.asp
Select your favorite color:
<input type="color" name="favcolor" value="#0000ff"><br/>
Birthday:
<input type="date" name="bday" value="2013-09-02"><br/>
E-mail:
<input type="email" name="email"><br/>
Quantity (between 1 and 5):
<input type="number" name="quantity"
min="1" max="5"><br/>
Add your homepage:
<input type="url" name="homepage"><br>
Transportation:
<input type="flying" name="saucer"><br>

Validation happens when you press submit.

http://www.wa4e.com/code/forms/html5.php
Data Security / Integrity /
Validation
Persisting Form Data
• When we submit forms and there is an
error, we just expect that the data will
remain in the form when the page is
redisplayed.
• The application needs to make sure to
put the previous values back into the
form.
<?php
$oldguess = isset($_POST['guess']) ? $_POST['guess'] : '';
?>
<p>Guessing game...</p>
“Persisting”
<form method="post">
<p><label for="guess">Input Guess</label> Form Data
<input type="text" name="guess" id="guess" Across
size="40" value="<?= $oldguess ?>"/></p> Requests
<input type="submit"/>
</form>
form4.php

<?= $oldguess ?>


<?php echo($oldguess); ?>
Review: Ternary Operation
Hygiene Alert!
What happens when we use an HTML character in a form field value?
form4.php
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess
size="40" "value=""><b>DIE DIE</b>" /></p>
<input type="submit"/>
</form>
To The Rescue: htmlentities()
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"
size="40" value="<?= htmlentities($oldguess) ?>"/></p>
<input type="submit"/>
</form>

form5.php
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess"
size="40" value="<?= htmlentities($oldguess) ?>"/></p>
<input type="submit"/>
</form>

<input type="text" name="guess" id="guess"


value="&quot;&gt;&lt;b&gt;DIE DIE&lt;/b&gt;" /></p>
In-Server Data Validation
Time Browser Web Server Database Server
D
Apache
O static MySql
Parse
M Request
files

Parse
Response $_POST
PHP php
code

form3.php
JavaScrip
t

RRC/HTTP SQL
Incoming Data Validation
Making sure all user data is present and the correct format before
proceeding
• Non-empty strlen($var) > 0
• A number is_numeric($var)
• An email address strpos($var, '@') > 0
• Or filter_var($var, FILTER_VALIDATE_EMAIL) !== false
• ....
http://www.wa4e.com/code/forms/guess.php?guess=7
http://www.wa4e.com/code/forms/guess.php?guess=200
Convention: Model View
Controller (MVC)
Model-View-Controller
• A model that defines the elements of a
web application and how they interact
• View – Produces output
• Model – Handles data
• Controller – Orchestration / Routing

https://en.wikipedia.org/wiki/Model-view-controller
Pattern: Processing POST Data
<?php
$guess = '';
$message = false;
Completely process
• incoming data (if
if ( isset($_POST['guess']) ) {

Many patterns for


// Trick for integer / numeric parameters
$guess = $_POST['guess'] + 0;
if ( $guess == 42 ) {

any) - produce no
$message = "Great job!";

handling POST
} else if ( $guess < 42 ) {
$message = "Too low";
} else {
$message = "Too high...";

data ?>
}

<html>
}
output
<head>


<title>A Guessing game</title>
</head>

No “rules”, just
<body style="font-family: sans-serif;">
<p>Guessing game...</p>

Produce the page


<?php
if ( $message !== false ) {

“suggestions”
echo("<p>$message</p>\n");
}

output
?>
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
<?php echo 'value="' . htmlentities($guess) . '"';
?>
/></p>
<input type="submit"/>
</form>
</body>

What about frameworks? guess_mvc.php


<?php
$oldguess = '';
$message = false;
if ( isset($_POST['guess']) ) {
// Trick for integer / numeric parameters
$oldguess = $_POST['guess'] + 0;
if ( $oldguess == 42 ) {
Model $message = "Great job!";
} else if ( $oldguess < 42 ) {
$message = "Too low";
} else {
$message = "Too high...";
}
}
?>
<html>
<head>
Context
<title>A Guessing game</title>
</head>
Controller
<body style="font-family: sans-serif;">
<p>Guessing game...</p>
<?php
if ( $message !== false ) {
echo("<p>$message</p>\n");

View ?>
}

<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
value="<?= htmlentities($oldguess) ?>"/></p>
<input type="submit"/>
</form>
</body>

guess_mvc.php
<?php
$oldguess = '';
$message = false;
if ( isset($_POST['guess']) ) {
// Trick for integer / numeric parameters
$oldguess = $_POST['guess'] + 0;
if ( $oldguess == 42 ) {
No $message = "Great job!";
} else if ( $oldguess < 42 ) {

HTML $message = "Too low";


} else {
$message = "Too high...";
}
}
?>
<html>
<head>
Context
<title>A Guessing game</title>
</head>
Controller
<body style="font-family: sans-serif;">
<p>Guessing game...</p>
<?php
if ( $message !== false ) {
echo("<p>$message</p>\n");

No ?>
}

<form method="post">
Database <p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
value="<?= htmlentities($oldguess) ?>"/></p>
<input type="submit"/>
</form>
</body>

guess_mvc.php
<?php
$guess = '';
$message = false; <?php
if ( isset($_POST['guess']) ) {
// Trick for integer / numeric parameters $oldguess = '';
$guess = $_POST['guess'] + 0;
if ( $guess == 42 ) { $message = false;
$message = "Great job!";
} else if ( $guess < 42 ) { if ( isset($_POST['guess']) ) {
$message = "Too low";
} else { // Nifty trick
$message = "Too high...";
} $oldguess = $_POST['guess'] + 0;
}
?> if ( $oldguess == 42 ) {
<html>
<head> $message = "Great job!";
<title>A Guessing game</title>
</head>
<body style="font-family: sans-serif;">
} else if ( $oldguess < 42 ) {
<p>Guessing game...</p> $message = "Too low";
<?php
if ( $message !== false ) { } else {
echo("<p>$message</p>\n");

?>
} $message = "Too high...";
<form method="post"> }
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
value="<?= htmlentities($oldguess) ?></p>
}
<input type="submit"/> <input type="submit"/> ?>
</form>
</body> <html> ...
guess_mvc.php
<?php
$guess = ''; ...
$message = false;
if ( isset($_POST['guess']) ) {
?>
// Trick for integer / numeric parameters
$guess = $_POST['guess'] + 0;
<html>
if ( $guess == 42 ) { <head>
$message = "Great job!";
} else if ( $guess < 42 ) { <title>A Guessing game</title>
$message = "Too low";
} else {
</head>
}
$message = "Too high..."; <body style="font-family: sans-serif;">
} <p>Guessing game...</p>
?>
<html> <?php
<head>
<title>A Guessing game</title>
if ( $message !== false ) {
</head>
<body style="font-family: sans-serif;">
echo("<p>$message</p>\n");
<p>Guessing game...</p> }
<?php
if ( $message !== false ) { ?>
echo("<p>$message</p>\n");
}
<form method="post">
?>
<form method="post">
<p><label for="guess">Input Guess</label>
<p><label for="guess">Input Guess</label> <input type="text" name="guess" id="guess" size="40"
<input type="text" name="guess" id="guess" size="40"
value="<?= htmlentities($oldguess) ?></p> value="<?= htmlentities($oldguess) ?>"></p>
<input type="submit"/> <input type="submit"/>
</form>
<input type="submit"/>
</body> </form>
</body>
<?php
$oldguess = '';
$message = false;
if ( isset($_POST['guess']) ) {
// Nifty trick
$oldguess = $_POST['guess'] + 0;
if ( $oldguess == 42 ) {
$message = "Great job!";
} else if ( $oldguess < 42 ) {
$message = "Too low";
} else {
$message = "Too high...";
}
}
?>
<html> ...

Note: This code is a little sloppy in terms of its data validation. guess_mvc.php
<html>
<head>
<title>A Guessing game</title>
</head>
<body style="font-family: sans-serif;">
<p>Guessing game...</p>
<?php
if ( $message !== false ) {
echo("<p>$message</p>\n");
}
?>
<form method="post">
<p><label for="guess">Input Guess</label>
<input type="text" name="guess" id="guess" size="40"
value="<?= htmlentities($oldguess) ?>"></p>
<input type="submit"/>
</form>
</body> guess_mvc.php
Summary
• Forms, $_GET and $_POST
• Form fields
• New form fields in HTML5
• Sanitizing HTML
• Data Validation
• Model-View-Controller
Acknowledgements / Contributions
These slides are Copyright 2010- Charles R. Severance (www.dr- Continue new Contributors and Translators here
chuck.com) as part of www.wa4e.com and made available under a
Creative Commons Attribution 4.0 License. Please maintain this
last slide in all copies of the document to comply with the
attribution requirements of the license. If you make a change, feel
free to add your name and organization to the list of contributors on
this page as you republish the materials.

Initial Development: Charles Severance, University of Michigan


School of Information

Insert new Contributors and Translators here including names and


dates

You might also like