PHP Forms
Introduction
The genius of PHP is its seamless integration of form variables into your programs. It makes web programming smooth and simple, speeding the cycle from web form to PHP code to HTML output.
With that convenience, however, comes the responsibility to make sure that the user provided information that flows so easily into your program contains appropriate content. External input can never be trusted, so it’s imperative always to validate all incoming data. Show how to validate common kinds of information as well as providing general guidelines on arbitrary form validation you might need to do. Discusses escaping HTML entities to allow the safe display of user-entered data. Covers how to process files uploaded by a user.
HTTP is a ’stateless’ protocol—it has no built-in mechanism that helps you to save information from one page so you can access it in other pages. Show ways to work around the fundamental problem of figuring out which user is making which requests to your web server.
Whenever PHP processes a page, it checks for URL and form variables, uploaded files, applicable cookies, and web server and environment variables. These are then directly accessible in the following arrays: $_GET, $_POST, $_FILES, $_COOKIE, $_SERVER, and $_ENV. They hold, respectively, all variables set in the query string, in the body of a post request, by uploaded files, by cookies, by the web server, and by the environment in which the web server is running. There’s also $_REQUEST, which is one giant array that contains the values from the other six arrays.
When placing elements inside of $_REQUEST, if two arrays both have a key with the same name, PHP breaks the tie by relying on the variables_order configuration directive. By default, variables_order is EGPCS (or GPCS, if you’re using the php.ini-recommended configuration file). So PHP first adds environment variables to $_REQUEST and then adds query string, post, cookie, and web server variables to the array, in this order. For instance, since C comes after P in the default order, a cookie named username overwrites a posted variable named username. Note that the GPCS value from php.ini-recommended means that the $_ENV array doesn’t get populated with environment variables.
While $_REQUEST can be convenient, it’s usually a better idea to look in the more detailed array directly. That way, you know exactly what you’re getting and don’t have to be concerned that a change in variables_order affects the behavior of your program.
All of these arrays are auto-global. That means global inside of a function or class— they’re always in scope.
Versions of PHP prior to 5.4.0 had a configuration directive named register_globals. If this was set to on, all these variables are also available as variables in the global namespace. So $_GET['password'] is also just $password. While convenient, this introduces major security problems because malicious users can easily set variables from the outside and overwrite trusted internal variables. If you’re using an older version of PHP, make sure this is set to off in your configuration.
Example Basic HTML form
<form action="hello.php" method="post">
<p>What is your first name?</p>
<input type="text" name="first_name" />
<input type="submit" value="Say Hello" />
</form>
The name of the text input element inside the form is first_name. Also, the method of the form is post. This means that when the form is submitted, $_POST['first_name'] will hold whatever string the user typed in. (It could also be empty, of course, if he didn’t type anything.)
Example Basic PHP form processing
echo 'Hello, ' . $_POST['first_name'] . '!';
Example Prints:
Hello, Twinkle!
So basic that it omits two important steps that should be in all PHP form processing applications: data validation (to make sure what’s typed into the form is acceptable to your program), and output escaping (to make sure that malicious users can’t use your website to attack others). Discuss data validation and discusses output escaping.
No comments:
Post a Comment