To build a form, you must have at least the following elements: • An opening and closing tag • A submission type specifying either a get or post method • One or more input fields • The
Trang 1CHAPTER 11
Form Handling
The main way that website users interact with PHP and MySQL is through the use of HTML forms These were introduced very early on in the development of the World Wide Web in 1993—even before the advent of e-commerce—and have remained a mainstay ever since, due to their simplicity and ease of use
Of course, enhancements have been made over the years to add extra functionality to HTML form handling, so this chapter will bring you up to speed on state-of-the-art form handling and show you the best ways to implement forms for good usability and security
Building Forms
Handling forms is a multipart process First, a form is created into which a user can enter the required details This data is then sent to the web server, where it is interpreted, often with some error checking If the PHP code identifies one or more fields that require reentering, the form may be redisplayed with an error message When the code is sat-isfied with the accuracy of the input, it takes some action that usually involves the database, such as entering details about a purchase
To build a form, you must have at least the following elements:
• An opening <form> and closing </form> tag
• A submission type specifying either a get or post method
• One or more input fields
• The destination URL to which the form data is to be submitted
Example 11-1 shows a very simple form created using PHP Type it in and save it as
formtest.php.
Trang 2Example 11-1 formtest.php—a simple PHP form handler
<?php // formtest.php
echo <<<_END
<html>
<head>
<title>Form Test</title>
</head>
<body>
<form method="post" action="formtest.php" />
What is your name?
<input type="text" name="name" />
<input type="submit" />
</form>
</body>
</html>
_END;
?>
The first thing to notice about this example is that, as you have already seen in this book, rather than dropping in and out of PHP code, the echo <<<_END _END construct
is used whenever multiline HTML must be output
Inside of this multiline output is some standard code for commencing an HTML docu-ment, displaying its title, and starting the body of the document This is followed by the form, which is set to send its data using the post method to the PHP program
formtest.php, which is the name of the program itself.
The rest of the program just closes all the items it opened: the form, the body of the HTML document, and the PHP echo <<<_END statement The result of opening this program in a web browser can be seen in Figure 11-1
Figure 11-1 The result of opening formtest.php in a web browser
Trang 3Retrieving Submitted Data
Example 11-1 is only one part of the multipart form handling process If you enter a name and click on the Submit Query button, absolutely nothing will happen other than the form being redisplayed So now it’s time to add some PHP code to process the data submitted by the form
Example 11-2 expands on the previous program to include data processing Type it in,
or modify formtest.php by adding in the new lines, save it as formtest2.php, and try the
program for yourself The result of running this program and entering a name can be seen in Figure 11-2
Figure 11-2 formtest.php with data handling
Example 11-2 Updated version of formtest.php
<?php // formtest2.php
if (isset($_POST['name'])) $name = $_POST['name'];
else $name = "(Not entered)";
echo <<<_END
<html>
<head>
<title>Form Test</title>
</head>
<body>
Your name is: $name<br />
<form method="post" action="formtest2.php">
What is your name?
<input type="text" name="name" />
<input type="submit" />
</form>
</body>
</html>
_END;
?>
Trang 4The only changes are a couple of lines at the start that check the $_POST associative array
for the field name having been submitted The previous chapter introduced the
$_POST associative array, which contains an element for each field in an HTML form.
In Example 11-2, the input name used was name and the form method was post, so element name of the $_POST array contains the value in $_POST['name']
The PHP isset function is used to test whether $_POST['name'] has been assigned a value If nothing was posted, the program assigns the value “(Not entered)”; otherwise,
it stores the value that was entered Then a single line has been added after the
<body> statement to display that value, which is stored in $name.
register_globals: An Old Solution Hangs On
Before security became such a big issue, the default behavior of PHP was to assign the
$_POST and $_GET arrays directly to PHP variables For example, there would be no need
to use the instruction $name=$_POST['name']; because $name would already be given that value automatically by PHP at the program start!
Initially (prior to version 4.2.0 of PHP), this seemed a very useful idea that saved a lot
of extra code-writing, but this practice has now been discontinued and the feature is disabled by default Should you find register_globals enabled on a production web server for which you are developing, you should urgently ask your server administrator
to disable it
So why disable register_globals? It enables anyone to enter a GET input on the tail of
a URL, like this: http://myserver.com?override=1, and if your code were ever to use the
variable $override and you forgot to initialize it (for example, through $override=0;), the program could be compromised by such an exploit
In fact, because many installations on the Web remain with this gaping hole, I advise you to always initialize every variable you use, just in case your code will ever run on such a system Initialization is also good programming practice, because you can com-ment each initialization to remind yourself and other programmers what a variable is for
If you ever find yourself maintaining code that seems to assume values
for certain variables for no apparent reason, you can make an educated
guess that the programmer wrote the code using register_globals , and
that these values are intended to be extracted from a POST or GET If so,
I recommend you rewrite the code to load these variables explicitly from
the correct $_POST or $_GET array.
Default Values
Sometimes it’s convenient to offer your site visitors a default value in a web form For example, suppose you put up a loan repayment calculator widget on a real estate
Trang 5website It could make sense to enter default values of, say, 25 years and 6 percent interest, so that the user can simply type in either the principal sum to borrow or the amount that he or she can afford to pay each month
In this case, the HTML for those two values would be something like Example 11-3
Example 11-3 Setting default values
<form method="post" action="calc.php"><pre>
Loan Amount <input type="text" name="principle" />
Monthly Repayment <input type="text" name="monthly" />
Number of Years <input type="text" name="years" value="25" />
Interest Rate <input type="text" name="rate" value="6" />
<input type="submit" />
</pre></form>
If you wish to try this (and the other HTML code samples) out, type it
in and save it with a html file extension, such as test.html, then load that
file into your browser.
Take a look at the third and fourth inputs By populating the value parameter, you display a default value in the field, which the users can then change if they wish With sensible default values you can often make your web forms more user-friendly by min-imizing unnecessary typing The result of the previous code looks like Figure 11-3 Of course, this was created just to illustrate default values and, because the program
calc.php has not been written, the form will not do anything if submitted.
Default values are also used for hidden fields if you want to pass extra information from your web page to your program, in addition to what users enter We’ll look at hidden fields later in this chapter
Figure 11-3 Using default values for selected form fields
Trang 6Input Types
HTML forms are very versatile and allow you to submit a wide range of different types
of inputs ranging from text boxes and text areas to checkboxes, radio buttons, and more
Text Boxes
Probably the type of input you will most often use is the text box It accepts a wide range of alphanumeric text and other characters in a single-line box The general format
of a text box input is:
<input type="text" name="name" size="size" maxlength="length" value="value" />
We’ve already covered the name and value parameters, but two more are introduced here: size and maxlength The size parameter specifies the width of the box, in characters
of the current font, as it should appear on the screen, and maxlength specifies the
max-imum number of characters that a user is allowed to enter into the field
The only required parameters are type, which tells the web browser what type of input
is to be expected, and name, for providing a name to the input that is then used to
process the field upon receipt of the submitted form
Text Areas
When you need to accept input of more than a short line of text, use a text area This
is similar to a text box but, because it allows multiple lines, it has some different pa-rameters Its general format looks like this:
<textarea name="name" cols="width" rows="height" wrap="type">
</textarea>
The first thing to notice is that <textarea> has its own tag and is not a subtype of the input tag It therefore requires a closing </textarea> to end input.
Instead of a default parameter, if you have default text to display, you must put it before the closing </textarea>, and it will then be displayed and be editable by the user, like this:
<textarea name="name" cols="width" rows="height" wrap="type">
This is some default text.
</textarea>
To control the width and height, use the cols and rows parameters Both use the char-acter spacing of the current font to determine the size of the area If you omit these values, a default input box will be created that will vary in dimensions depending on the browser used, so you should always define them to be certain about how your form will appear
Trang 7Lastly, you can control how the text entered into the box will wrap (and how any such wrapping will be sent to the server) using the wrap parameter Table 11-1 shows the wrap types available If you leave out the wrap parameter, soft wrapping is used
Table 11-1 The wrap types available in a textarea input
Type Action
off Text does not wrap and lines appear exactly as the user types them.
soft Text wraps but is sent to the server as one long string without carriage returns and line feeds.
hard Text wraps and is sent to the server in wrapped format with soft returns and line feeds.
Checkboxes
When you want to offer a number of different options to a user, from which he or she can select one or more items, checkboxes are the way to go The format to use is:
<input type="checkbox" name="name" value="value" checked="checked" />
If you include the checked parameter, the box is already checked when the browser is
displayed (the string you assign to the parameter doesn’t matter; the parameter just has
to be present) If you don’t include the parameter, the box is shown unchecked Here
is an example of an unchecked box:
I Agree <input type="checkbox" name="agree" />
If the user doesn’t check the box, no value will be submitted But if they do, a value of
“on” will be submitted for the field named agree If you prefer to have your own value
submitted instead of the word “on” (such as the number 1), you could use the following syntax:
I Agree <input type="checkbox" name="agree" value="1" />
On the other hand, if you wish to offer a newsletter to your readers when submitting
a form, you might want to have the checkbox already checked as the default value:
Subscribe? <input type="checkbox" name="news" checked="checked" />
If you want to allow groups of items to be selected at one time, assign them all the same name However, only the last item checked will be submitted, unless you pass an array
as the name For example, Example 11-4 allows the user to select his favorite ice creams (see Figure 11-4 for how it displays in a browser)
Example 11-4 Offering multiple checkbox choices
Vanilla <input type="checkbox" name="ice" value="Vanilla" />
Chocolate <input type="checkbox" name="ice" value="Chocolate" />
Strawberry <input type="checkbox" name="ice" value="Strawberry" />
If only one of the checkboxes is selected, such as the second one, only that item will be
submitted (the field named ice would be assigned the value “Chocolate”) But if two
Trang 8or more are selected, only the last value will be submitted, with prior values being ignored
If you want exclusive behavior—so that only one item can be submitted—then you should use radio buttons (see the next section), but to allow multiple submissions, you
have to slightly alter the HTML, as in Example 11-5 (note the addition of the square brackets, [], following the values of ice):
Example 11-5 Submitting multiple values with an array
Vanilla <input type="checkbox" name="ice[]" value="Vanilla" />
Chocolate <input type="checkbox" name="ice[]" value="Chocolate" />
Strawberry <input type="checkbox" name="ice[]" value="Strawberry" />
Now, when the form is submitted, if any of these items have been checked, an array
called ice will be submitted that contains any and all values In each case, you can extract
either the single submitted value, or the array of values, to a variable like this:
$ice = $_POST['ice'];
If the field ice has been posted as a single value, $ice will be a single string, such as
“Strawberry” But if ice was defined in the form as an array (like Example 11-5), $ice will be an array, and its number of elements will be the number of values submitted Table 11-2 shows the seven possible sets of values that could be submitted by this HTML for one, two, or all three selections In each case, an array of one, two, or three items is created
Table 11-2 The seven possible sets of values for the array $ice
One value submitted Two values submitted Three values submitted
$ice[0] => Vanilla
$ice[0] => Chocolate
$ice[0] => Strawberry
$ice[0] => Vanilla
$ice[1] => Chocolate
$ice[0] => Vanilla
$ice[1] => Chocolate
$ice[2] => Strawberry
$ice[0] => Vanilla
$ice[1] => Strawberry
Figure 11-4 Using checkboxes to make quick selections
Trang 9One value submitted Two values submitted Three values submitted
$ice[0] => Chocolate
$ice[1] => Strawberry
If $ice is an array, the PHP code to display its contents is quite simple and might look like this:
foreach($ice as $item) echo "$item<br />";
This uses the standard PHP foreach construct to iterate through the array $ice and pass each element’s value into the variable $item, which is then displayed using the echo command The <br /> is just an HTML formatting device, to force a new line after each flavor in the display
By default, checkboxes are square
Radio Buttons
Radio buttons are named after the push-in preset buttons found on many older radios, where any previously depressed button pops back up when another is pressed They are used when you want only a single value to be returned from a selection of two or more options All the buttons in a group must use the same name and, because only a single value is returned, you do not have to pass an array
For example, if your website offers a choice of delivery times for items purchased from your store, you might use HTML like that in Example 11-6 (see Figure 11-5 to see how
it displays)
Figure 11-5 Selecting a single value with radio buttons
Example 11-6 Using radio buttons
8am-Noon<input type="radio" name="time" value="1" />|
Noon-4pm<input type="radio" name="time" value="2" checked="checked" />|
4pm-8pm<input type="radio" name="time" value="3" />
Trang 10Here the second option of Noon-4pm has been selected by default This default choice
ensures that at least one delivery time will be chosen by the users, which they can change
to one of the other two options if they prefer Had one of the items not been already checked, the user might forget to select an option and no value would be submitted at all for the delivery time
By default, radio buttons are round
Hidden Fields
Sometimes it is convenient to have hidden form fields so that you can keep track of the state of form entry For example, you might wish to know whether a form has already been submitted You can achieve this by adding some HTML in your PHP code, such
as the following:
echo '<input type="hidden" name="submitted" value="yes" />'
This is a simple PHP echo statement that adds an input field to the HTML form Let’s assume the form was created outside the program and displayed to the user The first time the PHP program receives the input, this line of code has not run, so there will be
no field named submitted The PHP program recreates the form, adding the input field.
So when the visitor resubmits the form, the PHP program receives it with the submit-ted field set to “yes” The code can simply check whether the field is present:
if (isset($_POST['submitted']))
{
Hidden fields can also be useful for storing other details, such as a session ID string that you might create to identify a user, and so on
Never treat hidden fields as secure—because they are not The HTML
containing them can easily be viewed using a browser’s View Source
feature.
Select
The select tag lets you create a drop-down list of options, offering either single or multiple selections It conforms to the following syntax:
<select name="name" size="size" multiple="multiple">
The parameter size is the number of lines to display Clicking on the display causes a list to drop down showing all the options If you use the multiple parameter, multiple
options can be selected from the list by pressing the Ctrl key when clicking So to ask
a user for her favorite vegetable from a choice of five, you might use HTML as in Example 11-7, which offers a single selection