Web Develop Forum: Lesson 5 - HTML Forms & PHP - Web Develop Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Lesson 5 - HTML Forms & PHP Finally - we get to start building something!

#1 User is offline   Jack Icon

  • Member
  • PipPip
  • Group: Teacher
  • Posts: 25
  • Joined: 31-January 09
  • Location:Australia

Post icon  Posted 02 March 2009 - 04:14 PM

Hi,
This week I'll be showing you how to get user from the data in the form of an HTML form. I assume that you know HTML - if not then w3schools.org have some fantastic tutorials and references.

30 seconds to summarise the basics of HTML forms:

<form action="Name Of Script" method="POST or GET" >

<input type="text" name ="username" value="value" />

<input type="radio" name="color" value="read" />
<input type="radio" name="color" value="purple" selected />

Ok.

So first of all - our form action needs to point to the name of the script which its sending the data to. Often this is the same page - so you can use the same script to proccess the data ( and maybe if its invalid display the valid stuff again, and only present empty fields for those that werent correct?)

The Method is using POST or GET data. Get sends the data in the URL, so its fairly ( VERY!!!!!) insecure ( and its limited so if your using anythign over a few fields its usualyl easiest and best to go with POST). An example of GET data in a url is:
index.php?field=value&field2=value

*For those of you that know about them, Im not worrying about register globals etc for at least a long time wink.gif

So - You've created your form? Great. Now - the magic of PHP:

<?php

echo $_POST['fieldname'];
?>

PHP magically makes the form available through the $_POST and $_GET arrays (for POST and GET data methods). Alternatively you can ignore which method it was sent by and use $_REQUEST.... But then you leave yourself even more open to attack ( because anyone can enter a value into the url).

So... We have this data - but it could contain anything. If there is one thing that you learn out of all this ( and hopefully you'll learn more anyway) its that you should NEVER TRUST THE USER!!!! NEVER TRUST THE USER!!! NEVER TRUST THE USER!!!!! ok. Got that straight? See as soon as you trust the user - you let them take advantage of you, they could upload a virus or anything.

Instead of just using $_POST['username'] we should 'clean' or parse the data. For now ( so it doesn't get too messy and it stays nice and simple) I'll use just a few easy functions. Later on when we play with MySQL - we'll need to do more parsing ( more on SQL injection attacks later).

echo strip_tags(trim($_POST['username']));

As you can see, I have placed a function call in a function call. This is perfectly legal and is often left like this. Note that if you embed more than one level into the function arguments - you start getting really messy unreadable code.... This is fairly ok - and its sort of standard amongst a lot of coders to leave the validation this way. Note - its pretty much like maths, you do the inside function, and then work your way out.

Firstly we trim() the value.. this removes any whitespaces before or after the first characters ( eg " computer" would become "computer"). Then we strip_tags() that value. This this is a very useful function - it pretty much removes all the HTML and PHP tags from the code. As a second argument, you can pass it a string of tags to ignore - eg if you wanted to ignore all "<br />" you would go: strip_tags($variable, "<br />");.

Now... Unfortunately at this time we cannot do too much more ( easily) to validate our values. If you want to you could pass it through intVal() functions to try and remove string's etc- eg if you wanted an age not a name? Later on when we have covered regular expressions (pattern matching etc) we can revisit this and look at validating fields with those ( because this topic is extremely important to any programmer anywhere).

Now. Now seems as good as ever to look at looping through our array.

This is a specific loop for use on arrays:

FOREACH!

foreach($array_name as $field => $value {
//each iteration sets $field and $value to their respective values in the array.
}

alternatively you can use:

foreach($array_name as $value) {
// here the $field variable is unavailable, but sometimes you only need the value wink.gif
}


* If you weren't aware you can create arrays of elements in HTML:

<input name='name[]'>
<input name='name[]'>

then $_POST['name'] is an array:

foreach($_POST['name'] as $value) {
// $value stores the value from each of the above fields
}

This method is especially useful if you need a dynamic length of fields ( eg a list of input boxes such as is on a log of google applications ( email, docs, pages etc). Alternatively, you might have a set of checkboxes you need to loop through etc.

So - I think I'll leave it there this week. For homework I'll be getting you to write your own little word filter - to filter out bad words. However more on that tomorrow wink.gif

C Ya


P.S. If you want to look at how forms are constructed on sites - a really useful tool is firefox's "web developer toolbar" it allows you to select and view form information (as well as a heap of other stuff). It also allows you to force the form to use POST or GET even if its selected to do the other wink.gif - and all sorts of neat stuff like that.
0
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users