HTML Forms and PHP Form Handling
Mississippi College
Computer Science
Dr. Bennet

HTML forms allow the user fill in data, which can then be sent to the server. Code on the server will then receive this data, and do something, hopefully useful, with the data. This topic is discussed in Chapter 11 of your text.

  1. HTML Forms.
    1. Enclosed in a <form>, </form> pair.
    2. Contains input (and some other) tags which are displayed as input items on the screen.
    3. The form tag has an action attribute which is a URL to which the data is sent.
    4. It also specifies a transmission method.
      1. method="get"
        1. This is the way normal pages are requested.
        2. Data from the page is added as a query to the end of the URL.
        3. Should be used when the script stores information on the server.
        4. The request can therefore be book-marked.
        5. This is the default.
      2. method="post"
        1. The data are sent in the body of the HTTP request, so the values do not appear in the URL.
        2. Cannot generally be book-marked.
    5. Forms may be
      1. Static HTML running a separate action script.
      2. Generated by one action script and processed by another.
      3. Generated by an script which also processes the submitted form.
    6. The action URL
      1. May be any valid URL, though a static one doesn't make much sense.
      2. Very common to have the same script both generate the form and process it.
      3. If the action attribute is omitted from the form tag, this is exactly what happens: The browser uses the page URL as the action.
  2. Collecting values.
    1. Data from forms appears as key-value pairs.
    2. They appear to PHP in arrays
      1. $_GET for data from get requests.
      2. $_POST for data from get requests.
      3. $_REQUEST for data from either.
      4. Use the isset to see if a value has been set by the form.
  3. Input tags
    1. Most data-collecting tags are input tags, with various type attributes.
    2. Common attributes.
      1. type tells what sort of entry is drawn.
      2. name identifies the data when sent to the server.
      3. value gives a default, or sometimes only, value to the item.
      4. Non-closed tag.
    3. Various types of input tag.
      1. type="text": a fill-in box. size= estimates the character size.
        <input name="t1" type="text" size="6">
      2. type="checkbox": submits the value, or a 1, if checked. Nothing if not.
        <input type="checkbox" name="c1" value="real">Yes, really Yes, really
      3. type="radio": radio buttons. Create several with the same name, and only allow user to check one.
        <input type="radio" name="c1" value="1">first <input type="radio" name="c1" value="2">second
        <input type="radio" name="c1" value="3">third
        first secondthird
      4. type="hidden": Nothing is displayed, but the name and value are sent when the form is submitted.
        <input type="hidden" name="id" value="1948295">
      5. type="submit": Submits the form. Button displays the value.
        <input type="submit" name="SENT" value="Buy Now">
      [ Basic Form Source Processor ]
      [ Guessing Game Source ]
    4. textarea tag. Multi-line text box.
      1. Allows input of multi-line text.
      2. name attribute as input.
      3. cols and rows attributes give size.
      4. Closed tag. Contents is initial value.
        <textarea rows="3" cols="30">Enter Comment Here</textarea>
    5. select tag. Create a drop-down.
      <select name="fred"> <option value="none"></option> <option value="sendthis">showthis</option> <option value="ormaybethis">and let user see this</option> <option value="trythis">try this?</option> <option value="fourth">Another option.</option> <select name="fred">
  4. Use label tag to enclose a button and its label, which makes the label clickable as well.
  5. autofocus="autofocus" attribute. Pre-click on a box. Ignored by mobile devices.
  6. placeholder="value" attribute. Displays something until you type.
  7. required="required" attribute. Browser will not submit unless you enter something.
    [ Basic Form Slightly Improved Source Processor ]
    [ More Secure Guessing Game Source ]
  8. Simple key-value database.
    1. PHP supports a very simple database system of keys and values.
    2. Not an SQL system.
    3. Quite sufficient for many things.
    4. Docs
    5. On Sandbox, use "DB4" as the handler.
      [ Counting Form Source Processor ]
  9. Sanitizing Input
    1. No data that comes from the user may be trusted.
      1. A user can enter anything into a form, including the last thing you were expecting, and several more past that.
      2. You can't know that it was really submitted from the form you intended. Could be submitted from another form, or from a web client script.
    2. Simple errors can cause problems.
    3. Hackers are creative and can create much worse problems.
      1. If data from a form or query is used for a file name, it might contain slashes or wildcards that allow the hacker to reach other files on the server.
      2. Some PHP scripts call external programs (Unix or other system commands). Special chararacters in the data can do all sorts of damange.
      3. When user data is used to build SQL statements (which we don't in here), SQL instructions included in the input data can cause trouble.
    4. Make it habit to clean any outside data before use.
    5. The generalized survey form does this with an RE to eliminate anything that's not alphanumeric.
    6. PHP provides:
      1. For HTML: htmlentities and strip-tags.
      2. For commands: escapeshellcmd and escapeshellarg.
      3. Specific escapes for supported database systems.
    7. Always santitize data, even if you can't see any reason to. In this area, paranoia is a virtue.