The following code is all that is needed to explain handling user input with PHP. Save the code in a file called input.php:
<?php
//Handle Input here
//Check if $submit has a value of "Go" - The Validator
if ($submit == "Go") {
//The Processor
echo("You wrote ".$you_wrote);
echo("<br>You could have done whatever you want
with the input instead");
exit;
}
?>
<!-- The Frontend HTML form -->
<form action="<?php echo($PHP_SELF) ?>" method="POST" >
<p>Input a word <input type="text" size="20" name="you_wrote">
<input type="submit" name="submit" value="Go"></p>
</form>
The above script not only does the job of getting input from the user, it also checks if some input was provided and processes the input. This scheme of keeping front-end, validator, and processor part of code in a single script helps to keep code more manageable and clean. The output looks like this:
A major part of web-related programming, is building forms. Forms are a means of acquiring input from your users. A form can be one simple input box on a search engine front-end or a multi-page questionnaire, and PHP can be used to control the online forms.
HTML forms are the most common front-ends for PHP programs. This is a minimalist declaration of the <form> tag:
<form action="<?php echo($PHP_SELF) ?>" method="POST">
This declaration has two attributes:
Action
Method
The Action attribute tells the server which page (or script) will receive the data from the form. For example, there are two ways to call the file in which the form is defined when the user submits the form. First, by putting the file name input.php as the value of the action attribute, or second, by echo(ing) the value of $PHP_SELF in the action attribute.
$PHP_SELF is a built-in variable which always holds the name (and path if needed) of the page that is being shown. So the line:
<form action="<?php echo($PHP_SELF) ?>" method="POST">
appears as:
<form action="/ProPHP4/Chapter07/input.php" method="POST">
to the web browser. Of course, this will be seen only when we view the source of the HTML page. Using $PHP_SELF ensures ease of maintainability as the code doesn't change when the location of the file does.
This attribute determines the way information from the form is sent to the server. The two most commonly used methods are GET and POST. There are several other rarely used methods.
The GET method places the user's information into the URL. The browser simply adds a question mark at the end of URL being called by the action of the form and appends the information as name/value pairs. This addendum to the URL is known as the query string.
Additional name/value pairs are included by appending them after a "&". Try this URL: http://localhost/ProPHP4/Chapter07/input.php?you_wrote=testing+this+script&submit=Go:
The input was testing this script. What happened here is known as URL encoding. Some characters cannot appear in URLs (space being one of them) and have to be converted to something acceptable (in case of space it is replaced by "+"). Thankfully, developers need not worry about how it is done because the web browser takes care of it all. Also there are several handy URL related functions in PHP to take care of encoding and decoding whenever we need to do so (see Chapter 24).
Normally, the GET method is used in an HTML form which asks for a username and password. The URL which the form displays as the result of its action will show the secret username and password. This may sound like an obvious "Not to be done" thing, but in fact, the earliest cracks at one of the world's largest web mail sites involved this approach.
The solution is the POST method. Here the information is transmitted in the body of the HTTP request and not as a supplement to the URL. Theoretically POST also allows an infinite amount of information to be sent as compared to GET, which is limited to the length that a particular browser will allow as the URL. That is, the GET method sends all information as part of the URL while the POST method transmits the information invisibly to the user.
Thus, it is best to use POST to transfer sensitive information, and use GET when the page generated by the form should be bookmarked by end users, for example, search results. Also, sessions which are propagated using the GET method can be problematic. See Chapter 8 for more details on this.