PHP Basic Form Handling Tutorial
In this tutorial we learn about basic form handling in PHP with the superglobals $_GET and $_POST, which are used to collect form data.
We also cover when to use get, and when to use post.
What is form handling?
PHP provides us with easy ways to collect and process data coming from HTML forms.
As an example, let’s consider an application that collects a user’s name and email address.
<html>
<body>
<form method="get" action="process.php">
<p>
<label for="username">Name*</label><br>
<input type="text" name="username">
</p>
<p>
<label for="email">Email*</label><br>
<input type="email" name="email">
</p>
<p><button>Submit</button></p>
</form>
The example above will send the name and email address that the user enters to the process.php page to be processed. On that page we can store it in a persistent storage system, like a database or a physical csv file.
Create a new file in your PHPProjects directory, called process.php . It can be empty for the moment.
Now that the action page exists, we can submit data through the form. Open the page with the form in your browser, fill the fields with some test data and submit it.
When we submit the form with data, we’re redirected to the process.php page. The page is blank at the moment but consider the URL in the address bar, specifically everything after the ? symbol.
http://localhost/PHPProjects/process.php?username=Test&email=test%40testmail.com
Everything after ? is the data we send through the form to the processing page. It shows the field name and the value that was entered.
note The data is only visible in the url when the form’s method="get" . When the method="post" the data is not visible.
How to $_GET form data
To get data that’s sent from a form, PHP provides us with the $_GET superglobal.
The $_GET superglobal works like an associative array. The field name in the form is the key in the superglobal.
// Form page
<form method="get">
<input name="fieldname">
</form>
// Process page
$_GET["fieldname"];
As an example, let’s use the form we built earlier and $_GET the data from the username field. To help the demonstration, let’s also echo the data to the page.
<?php
echo "Welcome " . $_GET["username"];
?>
When the form is submitted, the data is sent through the url to the process.php page. At this point, the data is available to the page, but we don’t have access to it yet.
To get access, we pull the data from the URL with the $_GET superglobal. Once we have the data, we can do what we need to with it, like echo it out to the page.
How to $_POST form data
Sensitive form data, such as a password, should not be sent with the get method. We should instead use method="post" , as the data that’s sent is invisible.
<html>
<body>
<form method="post" action="process.php">
<p>
<label for="username">Name*</label><br>
<input type="text" name="username">
</p>
<p>
<label for="email">Email*</label><br>
<input type="email" name="email">
</p>
<p><button>Submit</button></p>
</form>
If you submit the form with test data, the data won’t show in the URL bar.
Accessing post data is the same as accessing get data, except we use the $_POST superglobal.
To demonstrate, let’s change our $_GET request on the username from earlier to a $_POST request.
<?php
echo "Welcome " . $_POST["username"];
?>
Everything works the same as it did before, but now it’s safer because the user can’t see the data in the URL bar.
$_GET vs $_POST. When to use which
It really depends on the situation and the type of data.
- $_GET is an array, passed to the action script via URL parameters.
- $_POST is also an array, but passed to the action script via the HTTP POST method.
They are both superglobals, which means they are accessible in any scope, and we can access them from any file, class or function.
- GET is used to send non-sensitive data, such as a search term.
- POST is used to send sensitive, or potentially sensitive data, such as email addresses and passwords.
Get and Post also have their own advantages, and disadvantages.
- GET has a limit of 2000 characters that can be sent. It also allows us to bookmark the action page.
- POST has no character limits and supports advanced functionality. Because the data is not in the url, an action page that receives data via post cannot be bookmarked with that specific data.
Data should be securely validated in any form. That is why most developers prefer to use POST for all their forms.
How to submit a form to its own page
Instead of jumping to a different page, we can submit the form to the page the it’s on by using the $_SERVER["PHP_SELF"] superglobal.
<html>
<body>
<form method="post" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
<p>
<label for="username">Name*</label><br>
<input type="text" name="username">
</p>
<p>
<label for="email">Email*</label><br>
<input type="email" name="email">
</p>
<p><button>Submit</button></p>
</form>
The interpreter will echo the filename of the current PHP page in the action attribute. So the current page will become the action page.
note The superglobal can be used by attackers to exploit your application by injecting malicious code. However, we can make the code safer if we convert any special characters in the superglobal to HTML entities.
PHP allows us to do this easily with the built-in htmlspecialchars() method. The method will perform the following conversions.
& (ampersand) converts to &
" (double quote) converts to "
' (single quote) converts to '
< (less than) converts to <
> (greater than) converts to >
To use it, all we have to do is pass the $_SERVER["PHP_SELF"] superglobal to htmlspecialchars() as an argument.
<html>
<body>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
<p>
<label for="username">Name*</label><br>
<input type="text" name="username">
</p>
<p>
<label for="email">Email*</label><br>
<input type="email" name="email">
</p>
<p><button>Submit</button></p>
</form>
You may have seen URLs with these “safe” characters before.
Summary: Points to remember
- Form handling is done with the $_GET[] and $_POST[] superglobal arrays.
- GET is used for non-sensitive data, such as a search term.
- POST is used for sensitive data, such as email addresses and passwords.
- GET data can be seen in the URL, POST data not.
- We can submit a page to itself with
$_SERVER["PHP_SELF"]
.
- The URL should be encoded with the built-in htmlspecialchars() method to avoid exploitation.