< Day Day Up > |
Chapter 6. Making Web FormsForm processing is an essential component of almost any web application. Forms are how users communicate with your server: signing up for a new account, searching a forum for all the posts about a particular subject, retrieving a lost password, finding a nearby restaurant or shoemaker, or buying a book. Using a form in a PHP program is a two-step activity. Step one is to display the form. This involves constructing HTML that has tags for the appropriate user-interface elements in it, such as text boxes, checkboxes, and buttons. If you're not familiar with the HTML required to create forms, the "Forms" chapter in HTML & XHTML: The Definitive Guide, by Chuck Musciano and Bill Kennedy (O'Reilly) is a good place to start. When a user sees a page with a form in it, she inputs the information into the form and then clicks a button or hits Enter to send the form information back to your server. Processing that submitted form information is step two of the operation. Example 6-1 is a page that says "Hello" to a user. If a name is submitted, then the page displays a greeting. If a name is not submitted, then the page displays a form with which a user can submit her name. Example 6-1. Saying "Hello"if (array_key_exists('my_name',$_POST)) { print "Hello, ". $_POST['my_name']; } else { print<<<_HTML_ <form method="post" action="$_SERVER[PHP_SELF]"> Your name: <input type="text" name="my_name"> <br/> <input type="submit" value="Say Hello"> </form> _HTML_; } Remember the client and server communication picture from Chapter 1? Figure 6-1 shows the client and server communication necessary to display and process the form in Example 6-1. The first request and response pair causes the browser to display the form. In the second request and response pair, the server processes the submitted form data and the browser displays the results. Figure 6-1. Displaying and processing a simple formThe response to the first request is some HTML for a form. Figure 6-2 shows what the browser displays when it receives that response. Figure 6-2. A simple formThe response to the second request is the result of processing the submitted form data. Figure 6-3 shows the output when the form is submitted with Susannah typed in the text box. Figure 6-3. The form, submittedThe pattern in Example 6-1 of "if form data has been submitted, process it; otherwise, print out a form" is common in PHP programs. When you're building a basic form, putting the code to display the form and the code to process the form in the same page makes it easier to keep the form and its associated logic in sync. The form submission is sent back to the same URL that was used to request the form in the first place. This is because of the special variable that is the value of the action attribute in the <form> tag: $_SERVER[PHP_SELF]. The $_SERVER auto-global array holds a variety of information about your server and the current request the PHP interpreter is processing. The PHP_SELF element of $_SERVER holds the pathname part of the current request's URL. For example, if a PHP script is accessed at http://www.example.com/store/catalog.php, $_SERVER['PHP_SELF'] is /store/catalog.php[1] in that page.
The $_POST array is an auto-global variable that holds submitted form data. The keys in $_POST are the form element names, and the corresponding values in $_POST are the values of the form elements. Typing your name into the text box in Example 6-1 and clicking the submit button makes the value of $_POST['my_name'] whatever you typed into the text box because the name attribute of the text box is my_name. So, testing whether there is a key called my_name in the $_POST array tests to see whether a form parameter called my_name has been submitted. Even if the my_name text box has been left blank, array_key_exists( ) returns true and the greeting is printed. The structure of Example 6-1 is the kernel of the form processing material in this chapter. However, it has a flaw: printing unmodified external input—as print "Hello, ". $_POST['my_name']; does with the value of the my_name form parameter—is dangerous. Data that comes from outside of your program, such as a submitted form parameter, can contain embedded HTML or JavaScript. Section 6.4.6, later in this chapter, explains how to make your program safer by cleaning up external input. The rest of this chapter provides details about the various aspects of form handling. Section 6.2 dives into the specifics of handling different kinds of form input, such as form parameters that can submit multiple values. Section 6.3 lays out a flexible, function-based structure for working with forms that simplifies some form maintenance tasks. This function-based structure also lets you check the submitted form data to make sure it doesn't contain anything unexpected. Section 6.4 explains the different ways you can check submitted form data. Section 6.5 demonstrates how to supply default values for form elements and preserve user-entered values when you redisplay a form. Finally, Section 6.6 shows a complete form that incorporates everything in the chapter: function-based organization, validation and display of error messages, defaults and preserving user input, and processing submitted data. |
< Day Day Up > |