HTML forms allow the user fill in data, which can then be sent
to the server. Code on the server will then receive this data, and
do something, hopefully useful, with the data.
This topic is discussed in Chapter 11 of your text.
- HTML Forms.
- Enclosed in a <form>, </form> pair.
- Contains input (and some other) tags which are displayed as
input items on the screen.
- The form tag has an action attribute which is a URL
to which the data is sent.
- It also specifies a transmission method.
- This is the way normal pages are requested.
- Data from the page is added as a query to the end of the URL.
- Should be used when the script stores information on the server.
- The request can therefore be book-marked.
- This is the default.
- The data is sent in the body of the HTTP request, so it
does not appear in the URL.
- Cannot generally be book-marked.
- The action URL can be made many ways. We will be using PHP.
- Forms may be
- Static HTML running a separate action script.
- Generated by one action script and processed by another.
- Generated by an script which also processes the submitted form.
- Collecting values.
- Data from forms appears as key-value pairs.
- They appear to PHP in arrays
- $_GET for data from get requests.
- $_POST for data from get requests.
- $_REQUEST for data from either.
- Use the isset to see if a value has been set by the form.
- Input tags
- Most data-collecting tags are input tags, with various
- Common attributes.
- type tells what sort of entry is drawn.
- name identifies the data when sent to the server.
- value gives a default, or sometimes only, value to
- Non-closed tag.
- Various types of input tag.
[ Basic Form Source
- type="text": a fill-in box. size= estimates the character
- type="checkbox": submits the value, or a 1, if checked. Nothing
- type="radio": radio buttons. Create several with the same
name, and only allow user to check one.
- type="hidden": Nothis is displayed, but the name and value
are sent when the form is submitted.
- type="submit": Submits the form. Button displays the
[ Guessing Game Source ]
- textarea tag. Multi-line text box.
- Allows input of multi-line text.
- name attribute as input.
- cols and rows attributes give size.
- Closed tag. Contents is initial value.
- select tag. Create a drop-down.
<option value="ormaybethis">and let user see this</option>
- Use label tag to enclose a button and its label, which makes
the label clickable as well.
- autofocus="autofocus" attribute. Pre-click on a box.
Ignored by mobile devices.
- placeholder="value" attribute. Displays something until you
- required="required" attribute. Browser will not submit unless
you enter something.
[ Basic Form Slightly Improved Source
[ More Secure Guessing Game Source ]
- Simple key-value database.
- PHP supports a very simple database system of keys and values.
- Not an SQL system.
- Quite sufficient for many things.
- On Sandbox, use "DB4" as the handler.
[ Counting Form Source
- Survey Example
- [ Survey Form Generator Source
- [ Survey Result Display Source ]
- [ Survey Definition ]
- The survey processor uses a simple key/data file to keep the results.
- The include file describes the actual contents of the survey, so the
scripts can easily support any number of surveys.
- The survey processor is not too careful about vetting the data that
comes from the form. We'll discuss why that may be a problem.
- New PHP here.
- One PHP file may include another. (Text p. 104).
- PHP functions. (Text pp. 98-100).
- The sprintf
- Sanitizing Input
- No data that comes from the user may be trusted.
- A user can enter anything into a form, including the last thing
you were expecting, and several more past that.
- You can't know that it was really submitted from the form you
intended. Could be submitted from another form, or from a web
- Simple errors can cause problems.
- Hackers are creative and can create much worse problems.
- If data from a form or query is used for a file name, it might
contain slashes or wildcards that allow the hacker to reach
other files on the server.
- Some PHP scripts call external programs (Unix or other system
commands). Special chararacters in the data can do all sorts of
- When user data is used to build SQL statements (which we don't in
instructions included in the input data can cause trouble.
- Make it habit to clean any outside data before use.
- The generalized survey form does this with an RE to eliminate
anything that's not alphanumeric.
- PHP provides:
- For HTML: htmlentities and
- For commands: escapeshellcmd and
- Specific escapes for supported database systems.
- Always santitize data, even if you can't see any reason to.
In this area, paranoia is a virtue.