Php forms
Download as PPT, PDF5 likes6,459 views
The document discusses PHP forms and includes the following key points: 1. Forms can submit data via GET and POST methods, with GET appending data to the URL and POST transmitting data hiddenly. Both methods store data in superglobal arrays ($_GET and $_POST). 2. Form validation ensures required fields are filled and data meets specified criteria. Common validations check for required fields, valid email addresses, URLs, and more. 3. HTML form elements like text fields, textareas, radio buttons, drop-downs are used to collect user input. PHP processes submitted data and can validate required fields are not empty.
![*Property of STI K0032
Form Element
ο The HTML code of the form element:
ο when the form is submitted, the form data is sent with
method=βpostβ
ο So, the $_SERVER["PHP_SELF"] sends the submitted
forms data to the page itself, instead of jumping to a
different page](https://image.slidesharecdn.com/phpforms-150817173232-lva1-app6891/85/Php-forms-16-320.jpg)
![*Property of STI K0032
Form Element
ο The $_SERVER["PHP_SELF"] is a super global
variable that returns the filename of the currently
executing script
ο Htmlspecialchars() function converts special
characters to HTML entities
ο Cross-site scripting (XSS) is a type of computer
security vulnerability typically found inWeb
application](https://image.slidesharecdn.com/phpforms-150817173232-lva1-app6891/85/Php-forms-17-320.jpg)
![*Property of STI K0032
how to avoid $_SERVER[βPHP_SELFβ] exploit?
ο The $_SERVER[βPHP_SELFβ] exploit can be
avoided using the htmlspecialchars()
function
ο if the user tries to exploit the PHP_SELF
variable, it will result:](https://image.slidesharecdn.com/phpforms-150817173232-lva1-app6891/85/Php-forms-21-320.jpg)
Php forms
- 1. PHP Forms ο± GET and POST Method ο± Form Validation ο± Form Required Fields
- 2. *Property of STI K0032 GET and POST Method ο A form data can be submitted using POST and GET method ο Both are used for same purpose but stand apart for some specifications ο GET and POST create an array which holds key/value pairs, where keys are the name of the form controls and values are the input data by the user
- 3. *Property of STI K0032 GET and POST Method ο Both GET and POST method are treated as $_GET and $_POST in PHP ο These methods are superglobals, which means that they are always accessible, and they can be accessed using any function, class or file ο The $_GET method is an associative array of variables passed to the current script via the URL parameters
- 4. *Property of STI K0032 GET and POST Method ο The $_POST method is an array of variables passed to the current script via the HTTP POST method ο In this method the information is transferred in a hidden manner ο A form that submits information is appended to the URL in the form of Query String which consists of name = value pairs in URL known as URL Encoding
- 5. *Property of STI K0032 GET and POST Method ο This string contains user values/data, which are joined using equal (=) signs, separated by ampersand (&), and spaces are removed and replaced with plus (+) sign Name1=value1&name2=value2&name3=value3
- 6. *Property of STI K0032 Get Method ο http:/.www.example.com/index.html? name=mel@email.com&contact=09176543210 ο The code below is a client-side HTML form using method=βgetβ for user to fill the information
- 7. *Property of STI K0032 Get Method ο The code below is the server-side PHP script where, $_GET associative array is used to receive sent information from server end
- 8. *Property of STI K0032 Post Method <form action="#" method="post"> .... </form> Below is a server-side PHP script where $_POST associative array is used to receive sent information at server end
- 9. *Property of STI K0032 Form validation
- 10. *Property of STI K0032 Form validation The form shown in Figure 6.1 consists of the following elements: ο Name (required field - must contain letters and whitespaces) ο E-mail (required field - must contain valid email address) ο Website (optional field - if present, must contain valid website URL) ο Comments (optional field - a multi-line text field) ο Gender (required field - must select a radio button )
- 11. *Property of STI K0032 Form Elements ο The Name, E-mail, Website are input elements ο Input elements, in particular, used text and submit values for its types attribute in order to create text fields and buttons ο The HTML code:
- 12. *Property of STI K0032 Form Elements ο Radio button shows several options to the users from which the user may select one ο HTML Code:
- 13. *Property of STI K0032 Form Elements ο The text area is typically a large text field with multiple rows ο The textarea element has three attributes β name, rows, and cols attribute ο HTML code:
- 14. *Property of STI K0032 Form Elements ο list element offers options from which the user might choose. A list can be created using the select element, within which is nested option elements for each option to appear ο The select element has a name attribute giving the name for the browser to use when identifying the selection when the form is submitted ο The option element has a value attribute for specifying what value to send when that option is selected, and it has a select attribute which allows the HTML to specify which option is initially selected. The code
- 15. *Property of STI K0032 Form Elements ο HTML Code:
- 16. *Property of STI K0032 Form Element ο The HTML code of the form element: ο when the form is submitted, the form data is sent with method=βpostβ ο So, the $_SERVER["PHP_SELF"] sends the submitted forms data to the page itself, instead of jumping to a different page
- 17. *Property of STI K0032 Form Element ο The $_SERVER["PHP_SELF"] is a super global variable that returns the filename of the currently executing script ο Htmlspecialchars() function converts special characters to HTML entities ο Cross-site scripting (XSS) is a type of computer security vulnerability typically found inWeb application
- 18. *Property of STI K0032 Form Element ο Example: test_form.php ο if a user enters the normal URL in the address bar like "http://www.example.com/test_form.php", the above code will be translated to:
- 19. *Property of STI K0032 Form Element ο consider that if a user enters the following URL in the address bar: http://www.example.com/test_form.php/%22%3E %3Cscript%3Ealert('hacked')%3C/script%3E ο will be translated to:
- 20. *Property of STI K0032 Form Element be aware that any JavaScript code can be added inside the <script> tag A hacker can redirect the user to a file on another server, and that file can hold malicious code that can alter the global variables or submit the form to another address to save the userβs data
- 21. *Property of STI K0032 how to avoid $_SERVER[βPHP_SELFβ] exploit? ο The $_SERVER[βPHP_SELFβ] exploit can be avoided using the htmlspecialchars() function ο if the user tries to exploit the PHP_SELF variable, it will result:
- 22. *Property of STI K0032 Validate Form Data with PHP ο The very first thing to do to validate form data with PHP is to pass all variables through PHPβs htmlspecialchars() function ο For example: ο With htmlspecialchars() function it would not be executed, because it would be saved as HTML escaped code like this:
- 23. *Property of STI K0032 ο test_input()
- 24. *Property of STI K0032 Form Required Fields ο In the previous slide, all input fields were optional, meaning no required fields to be filled in by the user ο Here is a simple PHP script that checks the name for empty input and throws an error message if the input is empty:
- 25. *Property of STI K0032 Form Required Fields To display the error message in the HTML form (this will be generated if the user tries to submit the form without filling in the required fields) use the code below: