Form Handling
Internet Programming II: Chapter 3
  ADDIS ABABA SCIENCE AND TECHNOLOGY UNIVERSITY
  Department of Software Engineering
           Main Source: www.w3schools.com/php
PHP Form Handling
• The PHP superglobals $_GET and $_POST are used to collect
  form-data
• Example:
                                       HTML
 <html>
 <body>
 <form action="welcome.php" method="post">
 Nam<input type="text" name="name"><br>
 E-m<input type="text" name="email"><br>
    <input type="submit">                               PHP: welcome.php
                           <html>
 </form>                   <body>
 </body>
 </html>                   Welcome <?php echo $_POST["name"]; ?><br>
                             Your email address is: <?php echo $_POST["email"];
                             ?>
                             </body>
                 Output      </html>
Welcome John
Your email address is john.doe@example.com
4/24/2023                                                                   2
GET vs. POST
• Both GET and POST create an array (e.g. array( key1 => value1, key2 => value2,
  key3 => value3, ...))
• This array holds key/value pairs, where keys are the names of the form controls
  and values are the input data from the user
• Both GET and POST are treated as $_GET and $_POST superglobals
• $_GET is an array of variables passed to the current script via the URL parameters.
• $_POST is an array of variables passed to the current script via the HTTP POST
  method.
• When to use GET?
      • Information sent from a form with the GET method is visible to everyone (all variable names
        and values are displayed in the URL)
      • GET also has limits on the amount of information to send. The limitation is about 2000
        characters
      • Variables are displayed in the URL, therefore it is possible to bookmark the page. This can be
        useful in some cases
      • GET may be used for sending non-sensitive data
      • Note: GET should NEVER be used for sending passwords or other sensitive information!
• When to use POST?
      • Information sent from a form with the POST method is invisible to others (all names/values
        are embedded within the body of the HTTP request)
      • Has no limits on the amount of information to send
      • Moreover POST supports advanced functionality such as support for multi-part binary input
        while uploading files to server
      • Variables are not displayed in the URL, therefore it is not possible to bookmark the page
4/24/2023                                                                                          3
PHP Form Validation
• Proper validation of form data is important to protect
  your form from hackers and spammers!
                                                      validation rule
                         Field     Validation Rules
                         Name      Required. + Must only contain letters
                                   and whitespace
                         E-mail    Required. + Must contain a valid
                                   email address (with @ and .)
                         Website   Optional. If present, it must contain a
                                   valid URL
                         Comment   Optional. Multi-line input field
                                   (textarea)
                         Gender    Required. Must select one
4/24/2023                                                                4
  PHP Form Validation cont’d
  • HTML
Text Fields:
Name: <input type="text" name="name">
E-mail: <input type="text" name="email">
Website: <input type="text" name="website">
Comment: <textarea name="comment" rows="5" cols="40"></textarea>
Radio Buttons:
Gender:
<input type="radio" name="gender" value="female">Female
<input type="radio" name="gender" value="male">Male
<input type="radio" name="gender" value="other">Other
The Form Element:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["
PHP_SELF"]);?>">
  4/24/2023                                                    5
PHP Form Validation cont’d
• $_SERVER["PHP_SELF"] variable: is a super global variable
  that returns the filename of the currently executing script
• So, the $_SERVER["PHP_SELF"] sends the submitted form
  data to the page itself
• This way, the user will get error messages on the same page
  as the form
• htmlspecialchars() function converts special characters to
  HTML entities
• This means that it will replace HTML characters like < and >
  with < and >
• This prevents attackers from exploiting the code by injecting
  HTML or Javascript code (Cross-site Scripting attacks) in
  forms
4/24/2023                                                     6
PHP Form Validation cont’d
• PHP Form Security: the $_SERVER["PHP_SELF"]
  variable can be used by hackers!
• If PHP_SELF is used in your page then a user can enter a
  slash (/) and then some Cross Site Scripting (XSS)
  commands to execute
      • Cross-site scripting (XSS) is a type of computer security
        vulnerability typically found in Web applications
      • XSS enables attackers to inject client-side script into Web
        pages viewed by other users
• Assume we have the following form in a page named
  "test_form.php":
      <form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
• If user enters normal url: “http://www.example.com/test_form.php",
      Form: <form method="post" action="test_form.php">
• But attacker may enter:
      “http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E”
• Form: <form method="post" action="test_form.php/"><script>alert('hacked')</script>
4/24/2023                                                                                     7
PHP Form Validation cont’d
• $_SERVER["PHP_SELF"] exploits can be avoided by using the
  htmlspecialchars() function
• The form code should look like this:
      <form method="post" action="<?php echo
      htmlspecialchars($_SERVER["PHP_SELF"]);?>">
• Now if the user tries to exploit the PHP_SELF variable, it will
  result in the following output:
      <form method="post"
      action="test_form.php/"><script>alert('hacked')</sc
      ript>">
• The first thing we do to validate form data with PHP is:
      • Pass all variables through PHP's htmlspecialchars() function
      • Strip unnecessary characters (extra space, tab, newline) from the
        user input data (with the PHP trim() function)
      • Remove backslashes (\) from the user input data (with the PHP
        stripslashes() function)
• The next step is to create a function that will do all the
  checking for us
      • which is much more convenient than writing the same code over
        and over again
4/24/2023                                                                   8
PHP Form Validation example
<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
                                                 $_SERVER['REQUEST
  $name = test_input($_POST["name"]);
                                                  _METHOD'] is used
  $email = test_input($_POST["email"]);
                                                  to know about the
  $website = test_input($_POST["website"]);
                                                 request method (for
  $comment = test_input($_POST["comment"]);
                                                  example GET, POST,
  $gender = test_input($_POST["gender"]);
                                                 PUT, etc) that is used
}
                                                  to access the page.
function test_input($data) {
   $data = trim($data);
   $data = stripslashes($data);
   $data = htmlspecialchars($data);
   return $data;
}
?>
4/24/2023                                                        9
     PHP Form Validation example
<?php
// define variables and set to empty values
$nameErr = $emailErr = $genderErr = $websiteErr = "";
$name = $email = $gender = $comment = $website = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
  if (empty($_POST["name"])) { $nameErr = "Name is required";
  } else { $name = test_input($_POST["name"]); }
 if (empty($_POST["email"])) { $emailErr = "Email is required";
 } else { $email = test_input($_POST["email"]); }
 if (empty($_POST["website"])) { $website = "";
 } else { $website = test_input($_POST["website"]); }
 if (empty($_POST["comment"])) { $comment = "";
 } else { $comment = test_input($_POST["comment"]); }
 if (empty($_POST["gender"])) { $genderErr = "Gender is required";
 } else { $gender = test_input($_POST["gender"]); }
}
?>   4/24/2023                                                    10
PHP Form Validation example
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP
_SELF"]);?>">
Name: <input type="text" name="name">
<span class="error">* <?php echo $nameErr;?></span>
<br><br>
E-mail: <input type="text" name="email">
<span class="error">* <?php echo $emailErr;?></span>
<br><br>
Website: <input type="text" name="website">
<span class="error"><?php echo $websiteErr;?></span>
<br><br>
Comment: <textarea name="comment" rows="5" cols="40"></textarea>
<br><br>
Gender:
<input type="radio" name="gender" value="female">Female
<input type="radio" name="gender" value="male">Male
<input type="radio" name="gender" value="other">Other
<span class="error">* <?php echo $genderErr;?></span>
<br><br>
<input type="submit" name="submit" value="Submit">
</form>
4/24/2023                                                          11
// define variables and set to empty values
$nameErr = $emailErr = $genderErr = $websiteErr = "";
$name = $email = $gender = $comment = $website = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
  if (empty($_POST["name"])) { $nameErr = "Name is required";
  } else { $name = test_input($_POST["name"]);
    // check if name only contains letters and whitespace
    if (!preg_match("/^[a-zA-Z-' ]*$/",$name)) {
      $nameErr = "Only letters and white space allowed"; }
  }
  if (empty($_POST["email"])) {
    $emailErr = "Email is required";
  } else {
    $email = test_input($_POST["email"]);
    // check if e-mail address is well-formed
    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
      $emailErr = "Invalid email format";     }
  }
  if (empty($_POST["website"])) { $website = "";
  } else { $website = test_input($_POST["website"]);
// check if URL address syntax is valid (this regular expression also allows dashes in the URL)
    if (!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-
z0-9+&@#\/%=~_|]/i",$website)) {
      $websiteErr = "Invalid URL"; }
  }
  if (empty($_POST["comment"])) { $comment = "";
  } else { $comment = test_input($_POST["comment"]); }
  if (empty($_POST["gender"])) { $genderErr = "Gender is required";
  } else { $gender = test_input($_POST["gender"]); }
   4/24/2023                                                                                      12
Keep The Values in The Form After Submit
Name: <input type="text" name="name" value="<?php echo $name;?>">
E-mail:
<input type="text" name="email" value="<?php echo $email;?>">
Website: <input type="text" name="website" value="<?php echo $websit
e;?>">
Comment: <textarea name="comment" rows="5" cols="40"><?php echo $com
ment;?></textarea>
Gender:
<input type="radio" name="gender"
<?php if (isset($gender) && $gender=="female") echo "checked";?>
value="female">Female
<input type="radio" name="gender"
<?php if (isset($gender) && $gender=="male") echo "checked";?>
value="male">Male
<input type="radio" name="gender"
<?php if (isset($gender) && $gender=="other") echo "checked";?>
value="other">Other
 4/24/2023                                                          13
4/24/2023   14