HTML Forms and PHP Form Handling

HTML forms allow the user fill in data, which can then be sent to the server. Code on the server will then receive this data, and do something, hopefully useful, with the data. This topic is discussed in Chapter 11 of your text.

  1. HTML Forms.
    1. Enclosed in a <form>, </form> pair.
    2. Contains input (and some other) tags which are displayed as input items on the screen.
    3. The form tag has an action attribute which is a URL to which the data is sent.
    4. It also specifies a transmission method.
      1. method="get"
        1. This is the way normal pages are requested.
        2. Data from the page is added as a query to the end of the URL.
        3. Should be used when the script stores information on the server.
        4. The request can therefore be book-marked.
        5. This is the default.
      2. method="post"
        1. The data is sent in the body of the HTTP request, so it does not appear in the URL.
        2. Cannot generally be book-marked.
    5. The action URL can be made many ways. We will be using PHP.
    6. Forms may be
      1. Static HTML running a separate action script.
      2. Generated by one action script and processed by another.
      3. Generated by an script which also processes the submitted form.
  2. Collecting values.
    1. Data from forms appears as key-value pairs.
    2. They appear to PHP in arrays
      1. $_GET for data from get requests.
      2. $_POST for data from get requests.
      3. $_REQUEST for data from either.
      4. Use the isset to see if a value has been set by the form.
  3. Input tags
    1. Most data-collecting tags are input tags, with various type attributes.
    2. Common attributes.
      1. type tells what sort of entry is drawn.
      2. name identifies the data when sent to the server.
      3. value gives a default, or sometimes only, value to the item.
      4. Non-closed tag.
    3. Various types of input tag.
      1. type="text": a fill-in box. size= estimates the character size.
      2. type="checkbox": submits the value, or a 1, if checked. Nothing if not.
      3. type="radio": radio buttons. Create several with the same name, and only allow user to check one.
      4. type="hidden": Nothis is displayed, but the name and value are sent when the form is submitted.
      5. type="submit": Submits the form. Button displays the value.
      [ Basic Form Source Processor ]
      [ Guessing Game Source ]
    4. textarea tag. Multi-line text box.
      1. Allows input of multi-line text.
      2. name attribute as input.
      3. cols and rows attributes give size.
      4. Closed tag. Contents is initial value.
    5. select tag. Create a drop-down.
      <select name="fred"> <option value="sendthis">showthis</option> <option value="ormaybethis">and let user see this</option> ... <select name="fred">
  4. Use label tag to enclose a button and its label, which makes the label clickable as well.
  5. autofocus="autofocus" attribute. Pre-click on a box. Ignored by mobile devices.
  6. placeholder="value" attribute. Displays something until you type.
  7. required="required" attribute. Browser will not submit unless you enter something.
    [ Basic Form Slightly Improved Source Processor ]
    [ More Secure Guessing Game Source ]
  8. Simple key-value database.
    1. PHP supports a very simple database system of keys and values.
    2. Not an SQL system.
    3. Quite sufficient for many things.
    4. Docs
    5. On Sandbox, use "DB4" as the handler.
      [ Counting Form Source Processor ]
  9. Survey Example
    1. [ Survey Form Generator Source Processor ]
    2. [ Survey Result Display Source ]
    3. [ Survey Definition ]
    4. The survey processor uses a simple key/data file to keep the results.
    5. The include file describes the actual contents of the survey, so the scripts can easily support any number of surveys.
    6. The survey processor is not too careful about vetting the data that comes from the form. We'll discuss why that may be a problem.
    7. New PHP here.
      1. One PHP file may include another. (Text p. 104).
      2. PHP functions. (Text pp. 98-100).
      3. The sprintf function.
  10. Sanitizing Input
    1. No data that comes from the user may be trusted.
      1. A user can enter anything into a form, including the last thing you were expecting, and several more past that.
      2. You can't know that it was really submitted from the form you intended. Could be submitted from another form, or from a web client script.
    2. Simple errors can cause problems.
    3. Hackers are creative and can create much worse problems.
      1. If data from a form or query is used for a file name, it might contain slashes or wildcards that allow the hacker to reach other files on the server.
      2. Some PHP scripts call external programs (Unix or other system commands). Special chararacters in the data can do all sorts of damange.
      3. When user data is used to build SQL statements (which we don't in here), SQL instructions included in the input data can cause trouble.
    4. Make it habit to clean any outside data before use.
    5. The generalized survey form does this with an RE to eliminate anything that's not alphanumeric.
    6. PHP provides:
      1. For HTML: htmlentities and strip-tags.
      2. For commands: escapeshellcmd and escapeshellarg.
      3. Specific escapes for supported database systems.
    7. Always santitize data, even if you can't see any reason to. In this area, paranoia is a virtue.