PHP-Einfuhrung - Lesson 3 - Processing forms

Alexander Lichter

June 27, 2017

Content of this lesson

1. Recap

2. Security notice

3. Functions

4. Understanding of HTTP Requests

5. PHP Superglobals

6. Form Handling

7. Input Validation and Security

1

Recap

A short recap

Well.. essentially we learned most of the basic control structures and can

write somewhat mighty programs.

But these are not dynamic enough at

the moment, because we cannot process user input yet! That’s what we

want to change in this lesson.

2

A short recap

Well.. essentially we learned most of the basic control structures and can

write somewhat mighty programs. But these are not dynamic enough at

the moment, because we cannot process user input yet! That’s what we

want to change in this lesson.

2

Security notice

Security notice

As you’ve seen in the content overview, our last chapter is Input

Validation and Security. All code examples before this chapter lack on

security and validation methods.

Please, do not use them in production,

otherwise you open the box of Pandora for your (live) website!

3

Security notice

As you’ve seen in the content overview, our last chapter is Input

Validation and Security. All code examples before this chapter lack on

security and validation methods. Please, do not use them in production,

otherwise you open the box of Pandora for your (live) website!

3

Functions

Functions

Before diving into forms, we need to learn another important control

structure to stop repeating our codes and make it easier, shorter and

better!

Functions!

1 <?php

2 f u n c t i o n ou tpu tG r e e t i n g ( $name ) {3 echo ”Hey $name” ;

4 }5 ou tPutGre e t i ng ( ” Pete r ” ) ; // C a l l the f u n c t i o n

6

Each function has a name after the function keyword, 0 to n arguments,

a function body (that is executed when the function is called) and

sometimes a return value

4

Functions

Before diving into forms, we need to learn another important control

structure to stop repeating our codes and make it easier, shorter and

better! Functions!

1 <?php

2 f u n c t i o n ou tpu tG r e e t i n g ( $name ) {3 echo ”Hey $name” ;

4 }5 ou tPutGre e t i ng ( ” Pete r ” ) ; // C a l l the f u n c t i o n

6

Each function has a name after the function keyword, 0 to n arguments,

a function body (that is executed when the function is called) and

sometimes a return value

4

Functions

Before diving into forms, we need to learn another important control

structure to stop repeating our codes and make it easier, shorter and

better! Functions!

1 <?php

2 f u n c t i o n ou tpu tG r e e t i n g ( $name ) {3 echo ”Hey $name” ;

4 }5 ou tPutGre e t i ng ( ” Pete r ” ) ; // C a l l the f u n c t i o n

6

Each function has a name after the function keyword, 0 to n arguments,

a function body (that is executed when the function is called) and

sometimes a return value

4

Functions

Before diving into forms, we need to learn another important control

structure to stop repeating our codes and make it easier, shorter and

better! Functions!

1 <?php

2 f u n c t i o n ou tpu tG r e e t i n g ( $name ) {3 echo ”Hey $name” ;

4 }5 ou tPutGre e t i ng ( ” Pete r ” ) ; // C a l l the f u n c t i o n

6

Each function has a name after the function keyword, 0 to n arguments,

a function body (that is executed when the function is called) and

sometimes a return value

4

Functions with return value

To structure your code, it’s worth it to create function for repetitive tasks

1 <?php

2 f u n c t i o n sum( $x , $y ) {3 r e t u r n $x + $y ;

4 }5 echo ”9 + 5 = ” . sum (9 , 5 ) . ”<br>” ;

6 echo ”189 + 25 = ” . sum(189 ,25) ;

7

Keep that in mind!

5

Functions with return value

To structure your code, it’s worth it to create function for repetitive tasks

1 <?php

2 f u n c t i o n sum( $x , $y ) {3 r e t u r n $x + $y ;

4 }5 echo ”9 + 5 = ” . sum (9 , 5 ) . ”<br>” ;

6 echo ”189 + 25 = ” . sum(189 ,25) ;

7

Keep that in mind!

5

Functions with return value

To structure your code, it’s worth it to create function for repetitive tasks

1 <?php

2 f u n c t i o n sum( $x , $y ) {3 r e t u r n $x + $y ;

4 }5 echo ”9 + 5 = ” . sum (9 , 5 ) . ”<br>” ;

6 echo ”189 + 25 = ” . sum(189 ,25) ;

7

Keep that in mind!

5

Functions with default values

Arguments/Parameters can also have default values!

1 <?php

2 f u n c t i o n setType ( $name , $type = ”Student ” ) {3 echo ”$name i s c u r r e n t l y a $type ” ;

4 }5 setType ( ”Norbe r t ” ) ;

6 setType ( ”Klaus ” , ”Teacher ” ) ;

7

6

Functions with default values

Arguments/Parameters can also have default values!

1 <?php

2 f u n c t i o n setType ( $name , $type = ”Student ” ) {3 echo ”$name i s c u r r e n t l y a $type ” ;

4 }5 setType ( ”Norbe r t ” ) ;

6 setType ( ”Klaus ” , ”Teacher ” ) ;

7

6

Functions with default values

Arguments/Parameters can also have default values!

1 <?php

2 f u n c t i o n setType ( $name , $type = ”Student ” ) {3 echo ”$name i s c u r r e n t l y a $type ” ;

4 }5 setType ( ”Norbe r t ” ) ;

6 setType ( ”Klaus ” , ”Teacher ” ) ;

7

6

Understanding of HTTP

Requests

HTTP - The protocol of the Internet

HTTP (short for Hypertext Transport Protocol) is used for

communicating between a client and the server.

It is a request-response protocol: By entering an URL in your browser,

your browser perfoms a GET request to the server and displays the

response, which can be HTML, a file (which you can download) or

anything else. The response also contains a status code (200 means OK

for example, you all know some more I guess). You can add to your

request body data by using a POST request.

There are some more methods than just GET and POST, but we will

cover those in a later lesson.

7

HTTP - The protocol of the Internet

HTTP (short for Hypertext Transport Protocol) is used for

communicating between a client and the server.

It is a request-response protocol: By entering an URL in your browser,

your browser perfoms a GET request to the server and displays the

response, which can be HTML, a file (which you can download) or

anything else. The response also contains a status code (200 means OK

for example, you all know some more I guess).

You can add to your

request body data by using a POST request.

There are some more methods than just GET and POST, but we will

cover those in a later lesson.

7

HTTP - The protocol of the Internet

HTTP (short for Hypertext Transport Protocol) is used for

communicating between a client and the server.

It is a request-response protocol: By entering an URL in your browser,

your browser perfoms a GET request to the server and displays the

response, which can be HTML, a file (which you can download) or

anything else. The response also contains a status code (200 means OK

for example, you all know some more I guess). You can add to your

request body data by using a POST request.

There are some more methods than just GET and POST, but we will

cover those in a later lesson.

7

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

Visibility

Yes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

Bookmarked

Yes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser History

Creates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache

Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length

Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

button

Nothing special Resend alert

8

GET vs POST

Well, let’s compare GET and POST now, so we can evaluate when we

use each method. PHP let us choose between those two when sending a

form. The default method is GET by the way

Attribute GET POST

VisibilityYes, query string in

URL

No, query string only

in Request body

BookmarkedYes, bookmarking is

possibleNot possible

Browser HistoryCreates browser his-

tory entryNo history entries

Cache Cacheable Not cacheable

Length Limited Unlimited

Reload/Back

buttonNothing special Resend alert

8

GET vs POST

Alright, now you know what is the difference. So to put it in a nutshell,

let’s list the use cases.:

GET

• Filtering

• Searching

• Redirect through forms

POST

• Sending data that should not appear in the URL (sensitive data like

passwords eg.)

• Actually all other use cases :D

9

GET vs POST

Alright, now you know what is the difference. So to put it in a nutshell,

let’s list the use cases.:

GET

• Filtering

• Searching

• Redirect through forms

POST

• Sending data that should not appear in the URL (sensitive data like

passwords eg.)

• Actually all other use cases :D

9

GET vs POST

Alright, now you know what is the difference. So to put it in a nutshell,

let’s list the use cases.:

GET

• Filtering

• Searching

• Redirect through forms

POST

• Sending data that should not appear in the URL (sensitive data like

passwords eg.)

• Actually all other use cases :D

9

GET vs POST

Alright, now you know what is the difference. So to put it in a nutshell,

let’s list the use cases.:

GET

• Filtering

• Searching

• Redirect through forms

POST

• Sending data that should not appear in the URL (sensitive data like

passwords eg.)

• Actually all other use cases :D

9

GET vs POST

Alright, now you know what is the difference. So to put it in a nutshell,

let’s list the use cases.:

GET

• Filtering

• Searching

• Redirect through forms

POST

• Sending data that should not appear in the URL (sensitive data like

passwords eg.)

• Actually all other use cases :D

9

GET vs POST

Alright, now you know what is the difference. So to put it in a nutshell,

let’s list the use cases.:

GET

• Filtering

• Searching

• Redirect through forms

POST

• Sending data that should not appear in the URL (sensitive data like

passwords eg.)

• Actually all other use cases :D

9

GET vs POST

Alright, now you know what is the difference. So to put it in a nutshell,

let’s list the use cases.:

GET

• Filtering

• Searching

• Redirect through forms

POST

• Sending data that should not appear in the URL (sensitive data like

passwords eg.)

• Actually all other use cases :D

9

GET vs POST

Alright, now you know what is the difference. So to put it in a nutshell,

let’s list the use cases.:

GET

• Filtering

• Searching

• Redirect through forms

POST

• Sending data that should not appear in the URL (sensitive data like

passwords eg.)

• Actually all other use cases :D

9

PHP Superglobals

Superglobals

Superglobals are variables that are accessible regardless of the scope.

They are automatically set by PHP itself. You can alter them though!

• $ SERVER holds all information about the request headers, script

location and similar

• $ POST and $ GET hold the corresponding data sent by the

request

• $ COOKIE has the cookie data of the request

• $ REQUEST holds all data of $ POST, $ GET and $ COOKIE

• $ SESSION stores user-based data (e.g. when they log in)

• $ ENV is responsible for all environment variables

10

Superglobals

Superglobals are variables that are accessible regardless of the scope.

They are automatically set by PHP itself. You can alter them though!

• $ SERVER holds all information about the request headers, script

location and similar

• $ POST and $ GET hold the corresponding data sent by the

request

• $ COOKIE has the cookie data of the request

• $ REQUEST holds all data of $ POST, $ GET and $ COOKIE

• $ SESSION stores user-based data (e.g. when they log in)

• $ ENV is responsible for all environment variables

10

Superglobals

Superglobals are variables that are accessible regardless of the scope.

They are automatically set by PHP itself. You can alter them though!

• $ SERVER holds all information about the request headers, script

location and similar

• $ POST and $ GET hold the corresponding data sent by the

request

• $ COOKIE has the cookie data of the request

• $ REQUEST holds all data of $ POST, $ GET and $ COOKIE

• $ SESSION stores user-based data (e.g. when they log in)

• $ ENV is responsible for all environment variables

10

Superglobals

Superglobals are variables that are accessible regardless of the scope.

They are automatically set by PHP itself. You can alter them though!

• $ SERVER holds all information about the request headers, script

location and similar

• $ POST and $ GET hold the corresponding data sent by the

request

• $ COOKIE has the cookie data of the request

• $ REQUEST holds all data of $ POST, $ GET and $ COOKIE

• $ SESSION stores user-based data (e.g. when they log in)

• $ ENV is responsible for all environment variables

10

Superglobals

Superglobals are variables that are accessible regardless of the scope.

They are automatically set by PHP itself. You can alter them though!

• $ SERVER holds all information about the request headers, script

location and similar

• $ POST and $ GET hold the corresponding data sent by the

request

• $ COOKIE has the cookie data of the request

• $ REQUEST holds all data of $ POST, $ GET and $ COOKIE

• $ SESSION stores user-based data (e.g. when they log in)

• $ ENV is responsible for all environment variables

10

Superglobals

Superglobals are variables that are accessible regardless of the scope.

They are automatically set by PHP itself. You can alter them though!

• $ SERVER holds all information about the request headers, script

location and similar

• $ POST and $ GET hold the corresponding data sent by the

request

• $ COOKIE has the cookie data of the request

• $ REQUEST holds all data of $ POST, $ GET and $ COOKIE

• $ SESSION stores user-based data (e.g. when they log in)

• $ ENV is responsible for all environment variables

10

Superglobals

Superglobals are variables that are accessible regardless of the scope.

They are automatically set by PHP itself. You can alter them though!

• $ SERVER holds all information about the request headers, script

location and similar

• $ POST and $ GET hold the corresponding data sent by the

request

• $ COOKIE has the cookie data of the request

• $ REQUEST holds all data of $ POST, $ GET and $ COOKIE

• $ SESSION stores user-based data (e.g. when they log in)

• $ ENV is responsible for all environment variables

10

Superglobals - Example

Assuming you call the following script with the parameters

?name=Alex&age=20&lesson=3

1 <?php

2 echo ”Name : ” . $ GET [ ’ name ’ ] . ”<br>” ;

3 echo ”Age : ” . $ REQUEST [ ’ age ’ ] . ”<br>” ;

4 //Would not work because the HTTP method i s GET

5 // echo ” Lesson : ” . $ POST [ ’ l e s s o n ’ ] . ”<br>”;

6 echo ” Lesson : ” . $ GET [ ’ l e s s o n ’ ] . ”<br>” ;

7 echo ” S c r i p t name : ” . $ SERVER [ ’PHP SELF ’ ] . ”<br>” ;

8

It will print out the values from the query string and the filename of the

executing script (through $ SERVER[’PHP SELF’]).

11

Form Handling

Our first form

Now we will write our first script that handles form user input. First of

all, we need.. a form!

1 <html>

2 <body>

3

4 <form a c t i o n=”welcome . php” method=” pos t ”>

5 Your name : < i n pu t type=” t e x t ” name=”name”><br>

6 Your e−mai l : < i n pu t type=” t e x t ” name=” ema i l ”><br>

7 < i n pu t type=” submit ”>

8 </form>

9

10 </body>

11 </html>

12

As you see, there is no PHP code included yet. It is a simple form that

uses the POST method to send name and e-mail. It will redirect to

welcome.php, because that is the value of the action parameter

12

Our first form

Now we will write our first script that handles form user input. First of

all, we need.. a form!

1 <html>

2 <body>

3

4 <form a c t i o n=”welcome . php” method=” pos t ”>

5 Your name : < i n pu t type=” t e x t ” name=”name”><br>

6 Your e−mai l : < i n pu t type=” t e x t ” name=” ema i l ”><br>

7 < i n pu t type=” submit ”>

8 </form>

9

10 </body>

11 </html>

12

As you see, there is no PHP code included yet. It is a simple form that

uses the POST method to send name and e-mail. It will redirect to

welcome.php, because that is the value of the action parameter

12

Our first form

Now we will write our first script that handles form user input. First of

all, we need.. a form!

1 <html>

2 <body>

3

4 <form a c t i o n=”welcome . php” method=” pos t ”>

5 Your name : < i n pu t type=” t e x t ” name=”name”><br>

6 Your e−mai l : < i n pu t type=” t e x t ” name=” ema i l ”><br>

7 < i n pu t type=” submit ”>

8 </form>

9

10 </body>

11 </html>

12

As you see, there is no PHP code included yet. It is a simple form that

uses the POST method to send name and e-mail. It will redirect to

welcome.php, because that is the value of the action parameter12

Our first form

If we submit the form now.. it will most likely throw a 404 error, because

our PHP script does not exist yet. Well, you know how to use

superglobals, so write your own welcome.php that does something with

the form data!

1 <html>

2 <body>

3

4 Welcome <?= $ POST [ ”name” ] ; ?><br>

5 Your e−mai l i s : <?= $ POST [ ” ema i l ” ] ; ?>

6

7 </body>

8 </html>

9

As you see, I am using other PHP open/close tags here. You can use

them like this when you want to echo/print something. It’s pretty nice

for ”one-liners” ;)

13

Our first form

If we submit the form now.. it will most likely throw a 404 error, because

our PHP script does not exist yet. Well, you know how to use

superglobals, so write your own welcome.php that does something with

the form data!

1 <html>

2 <body>

3

4 Welcome <?= $ POST [ ”name” ] ; ?><br>

5 Your e−mai l i s : <?= $ POST [ ” ema i l ” ] ; ?>

6

7 </body>

8 </html>

9

As you see, I am using other PHP open/close tags here. You can use

them like this when you want to echo/print something. It’s pretty nice

for ”one-liners” ;)

13

Our first form

If we submit the form now.. it will most likely throw a 404 error, because

our PHP script does not exist yet. Well, you know how to use

superglobals, so write your own welcome.php that does something with

the form data!

1 <html>

2 <body>

3

4 Welcome <?= $ POST [ ”name” ] ; ?><br>

5 Your e−mai l i s : <?= $ POST [ ” ema i l ” ] ; ?>

6

7 </body>

8 </html>

9

As you see, I am using other PHP open/close tags here. You can use

them like this when you want to echo/print something. It’s pretty nice

for ”one-liners” ;)13

Form evaluation in the same script

There is also a way to evaluate the form input on the same page.

First of

all, you need to set the action to the script itself. How you can do that?

1 <html>

2 <body>

3

4 <form a c t i o n=”<?= $ SERVER [ ’ PHP SELF ’ ] ?>” method=” pos t ”>

5 Your name : < i n pu t type=” t e x t ” name=”name”><br>

6 Your e−mai l : < i n pu t type=” t e x t ” name=” ema i l ”><br>

7 < i n pu t type=” submit ”>

8 </form>

9

10 </body>

11 </html>

12

And now you need to differ if the form was sent yet or not....

14

Form evaluation in the same script

There is also a way to evaluate the form input on the same page. First of

all, you need to set the action to the script itself. How you can do that?

1 <html>

2 <body>

3

4 <form a c t i o n=”<?= $ SERVER [ ’ PHP SELF ’ ] ?>” method=” pos t ”>

5 Your name : < i n pu t type=” t e x t ” name=”name”><br>

6 Your e−mai l : < i n pu t type=” t e x t ” name=” ema i l ”><br>

7 < i n pu t type=” submit ”>

8 </form>

9

10 </body>

11 </html>

12

And now you need to differ if the form was sent yet or not....

14

Form evaluation in the same script

There is also a way to evaluate the form input on the same page. First of

all, you need to set the action to the script itself. How you can do that?

1 <html>

2 <body>

3

4 <form a c t i o n=”<?= $ SERVER [ ’ PHP SELF ’ ] ?>” method=” pos t ”>

5 Your name : < i n pu t type=” t e x t ” name=”name”><br>

6 Your e−mai l : < i n pu t type=” t e x t ” name=” ema i l ”><br>

7 < i n pu t type=” submit ”>

8 </form>

9

10 </body>

11 </html>

12

And now you need to differ if the form was sent yet or not....

14

Form evaluation in the same script

There is also a way to evaluate the form input on the same page. First of

all, you need to set the action to the script itself. How you can do that?

1 <html>

2 <body>

3

4 <form a c t i o n=”<?= $ SERVER [ ’ PHP SELF ’ ] ?>” method=” pos t ”>

5 Your name : < i n pu t type=” t e x t ” name=”name”><br>

6 Your e−mai l : < i n pu t type=” t e x t ” name=” ema i l ”><br>

7 < i n pu t type=” submit ”>

8 </form>

9

10 </body>

11 </html>

12

And now you need to differ if the form was sent yet or not....

14

Form evaluation in the same script

You can do that by creating a condition on the HTTP request method

1 <?php

2

3 i f ( $ SERVER [ ”REQUEST METHOD” ] == ”POST” ) {4 // Eva l ua t e form he r e

5 } e l s e {6

7 //Show form he re

8 }9

It’s your turn again! Refactor your welcome.php and merge it in the same

script you use to display the form

15

Form evaluation in the same script

You can do that by creating a condition on the HTTP request method

1 <?php

2

3 i f ( $ SERVER [ ”REQUEST METHOD” ] == ”POST” ) {4 // Eva l ua t e form he r e

5 } e l s e {6

7 //Show form he re

8 }9

It’s your turn again! Refactor your welcome.php and merge it in the same

script you use to display the form

15

Form evaluation in the same script

You can do that by creating a condition on the HTTP request method

1 <?php

2

3 i f ( $ SERVER [ ”REQUEST METHOD” ] == ”POST” ) {4 // Eva l ua t e form he r e

5 } e l s e {6

7 //Show form he re

8 }9

It’s your turn again! Refactor your welcome.php and merge it in the same

script you use to display the form

15

Input Validation and Security

Form Security - PHP SELF

The most important topic on form handling is Security.

We will start

with the $ SERVER["PHP SELF"] variable, which can be abused easily

when not properly secured.

DEMO

How to fix this:

1 <form method=” pos t ” a c t i o n=”<?php echo h tm l s p e c i a l c h a r s (

$ SERVER [ ”PHP SELF” ] ) ;?>”>

2

htmlspecialchars ”escapes” the whole string. It makes all HTML entities

harmless without removing characters.

16

Form Security - PHP SELF

The most important topic on form handling is Security. We will start

with the $ SERVER["PHP SELF"] variable, which can be abused easily

when not properly secured.

DEMO

How to fix this:

1 <form method=” pos t ” a c t i o n=”<?php echo h tm l s p e c i a l c h a r s (

$ SERVER [ ”PHP SELF” ] ) ;?>”>

2

htmlspecialchars ”escapes” the whole string. It makes all HTML entities

harmless without removing characters.

16

Form Security - PHP SELF

The most important topic on form handling is Security. We will start

with the $ SERVER["PHP SELF"] variable, which can be abused easily

when not properly secured.

DEMO

How to fix this:

1 <form method=” pos t ” a c t i o n=”<?php echo h tm l s p e c i a l c h a r s (

$ SERVER [ ”PHP SELF” ] ) ;?>”>

2

htmlspecialchars ”escapes” the whole string. It makes all HTML entities

harmless without removing characters.

16

Form Security - PHP SELF

The most important topic on form handling is Security. We will start

with the $ SERVER["PHP SELF"] variable, which can be abused easily

when not properly secured.

DEMO

How to fix this:

1 <form method=” pos t ” a c t i o n=”<?php echo h tm l s p e c i a l c h a r s (

$ SERVER [ ”PHP SELF” ] ) ;?>”>

2

htmlspecialchars ”escapes” the whole string. It makes all HTML entities

harmless without removing characters.

16

Form Security - PHP SELF

The most important topic on form handling is Security. We will start

with the $ SERVER["PHP SELF"] variable, which can be abused easily

when not properly secured.

DEMO

How to fix this:

1 <form method=” pos t ” a c t i o n=”<?php echo h tm l s p e c i a l c h a r s (

$ SERVER [ ”PHP SELF” ] ) ;?>”>

2

htmlspecialchars ”escapes” the whole string. It makes all HTML entities

harmless without removing characters.

16

Form Security - PHP SELF

The most important topic on form handling is Security. We will start

with the $ SERVER["PHP SELF"] variable, which can be abused easily

when not properly secured.

DEMO

How to fix this:

1 <form method=” pos t ” a c t i o n=”<?php echo h tm l s p e c i a l c h a r s (

$ SERVER [ ”PHP SELF” ] ) ;?>”>

2

htmlspecialchars ”escapes” the whole string. It makes all HTML entities

harmless without removing characters.

16

Form Security - Sanitize input

Now we need to sanitize our input. Imagine someone submits HTML

code as his ”email”. When we display the code without sanitizing, it

could be abused.

1 <?php

2 f u n c t i o n s a n i t i z e I n p u t ( $data ) {3 $data = t r im ( $data ) ;

4 $data = s t r i p s l a s h e s ( $data ) ;

5 $data = h tm l s p e c i a l c h a r s ( $data ) ;

6 r e t u r n $data ;

7 }8

• trim removes whitespaces before and after the data

• stripslashes removes all slashes as the function says

It is important to sanitize all of your input!

17

Form Security - Sanitize input

Now we need to sanitize our input. Imagine someone submits HTML

code as his ”email”. When we display the code without sanitizing, it

could be abused.

1 <?php

2 f u n c t i o n s a n i t i z e I n p u t ( $data ) {3 $data = t r im ( $data ) ;

4 $data = s t r i p s l a s h e s ( $data ) ;

5 $data = h tm l s p e c i a l c h a r s ( $data ) ;

6 r e t u r n $data ;

7 }8

• trim removes whitespaces before and after the data

• stripslashes removes all slashes as the function says

It is important to sanitize all of your input!

17

Form Security - Sanitize input

Now we need to sanitize our input. Imagine someone submits HTML

code as his ”email”. When we display the code without sanitizing, it

could be abused.

1 <?php

2 f u n c t i o n s a n i t i z e I n p u t ( $data ) {3 $data = t r im ( $data ) ;

4 $data = s t r i p s l a s h e s ( $data ) ;

5 $data = h tm l s p e c i a l c h a r s ( $data ) ;

6 r e t u r n $data ;

7 }8

• trim removes whitespaces before and after the data

• stripslashes removes all slashes as the function says

It is important to sanitize all of your input!

17

Form Security - Sanitize input

Now we need to sanitize our input. Imagine someone submits HTML

code as his ”email”. When we display the code without sanitizing, it

could be abused.

1 <?php

2 f u n c t i o n s a n i t i z e I n p u t ( $data ) {3 $data = t r im ( $data ) ;

4 $data = s t r i p s l a s h e s ( $data ) ;

5 $data = h tm l s p e c i a l c h a r s ( $data ) ;

6 r e t u r n $data ;

7 }8

• trim removes whitespaces before and after the data

• stripslashes removes all slashes as the function says

It is important to sanitize all of your input!

17

Form Security - Sanitize input

Now we need to sanitize our input. Imagine someone submits HTML

code as his ”email”. When we display the code without sanitizing, it

could be abused.

1 <?php

2 f u n c t i o n s a n i t i z e I n p u t ( $data ) {3 $data = t r im ( $data ) ;

4 $data = s t r i p s l a s h e s ( $data ) ;

5 $data = h tm l s p e c i a l c h a r s ( $data ) ;

6 r e t u r n $data ;

7 }8

• trim removes whitespaces before and after the data

• stripslashes removes all slashes as the function says

It is important to sanitize all of your input!

17

Form Security - Your task

Alright. You final task this week: Create a little calculator that takes two

numbers and calculates all basic results by using forms!

HINTS:

• Use radio buttons for the arithmetic methods (+, -, *, /, %, **)

• Think about error handling. What could go wrong?

• Sanitize your input!

18

Form Security - Your task

Alright. You final task this week: Create a little calculator that takes two

numbers and calculates all basic results by using forms!

HINTS:

• Use radio buttons for the arithmetic methods (+, -, *, /, %, **)

• Think about error handling. What could go wrong?

• Sanitize your input!

18

Form Security - Your task

Alright. You final task this week: Create a little calculator that takes two

numbers and calculates all basic results by using forms!

HINTS:

• Use radio buttons for the arithmetic methods (+, -, *, /, %, **)

• Think about error handling. What could go wrong?

• Sanitize your input!

18

Form Security - Your task

Alright. You final task this week: Create a little calculator that takes two

numbers and calculates all basic results by using forms!

HINTS:

• Use radio buttons for the arithmetic methods (+, -, *, /, %, **)

• Think about error handling. What could go wrong?

• Sanitize your input!

18