WEB TECHNOLOGIES 2

Forms & Global Variables

Lec 4

Mohammed Sultan
1
 Outlines
• PHP Form Handling
• GET vs POST
• Form validation
• Global variables

2
 PHP form processing
• To create a form, you use the <form> element as
follows:
– <form action="[Link]" method="post"><form>

• The <form> element has two important attributes:

– action: specifies the URL that processes the form
submission. In this example, the [Link] will process
the form.
– method: specifies the HTTP method for submitting the
form. The most commonly used form methods are POST
and GET. In this example, the form method is post.

3
 PHP form processing
• The form method is case-insensitive. It means that you can

use either post or get. If you don’t specify the method

attribute, the form element will use the get method by

default.

• Typically, a form has one or more input elements, and an

input element has the following important attributes name,

type, and value. The name attribute will be used for accessing

the value in PHP.

4
 Form Handling
• PHP uses $_GET and $_POST superglobals to collect
form-data.
<html>
<body>
<form action="[Link]" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
</body>
</html> 5
 Form Handling
• The data is sent by either get or post method for
processing, and action determines the file that Will
process the data.
– Ex:
• Method is post
• Processing file is [Link]
• PHP file should be like :
<?php echo $_POST["name"]; ?><br>
Your email address is: <?php echo
$_POST["email"]; ?>
6
<form action="[Link]" method="post">
<div>
<label for="email">Email:</label>
<input type="email" id="email" name="email" />
</div>
<button type="submit">Submit</button>
</form>

Send to [Link] for processing

<?php
if (isset($_POST['email'])) {
var_dump($_POST['email']);
} 7
 HTTP POST method
• If a form uses the POST method, the web
browser will include the form data in the HTTP
request’s body. After submitting the form, you
can access the form data via the associative
array $_POST in PHP.

• If the form doesn’t have an input(ex:email) , the

$_POST won’t have any element with the key
'email'.
– To check if the form data contains the email, you use
the isset()

8
 Post
• POST method information is invisible to others.

• Post has no limits on the amount of information

to send.

• By post, it is not possible to bookmark the page.

– because the variables are not displayed in the URL

Note:Developers prefer POST for sending form data.

9
 HTTP GET method
• When you submit a form using the GET method, you can
access the form data in PHP via the associative array
$_GET.

• Unlike the POST method, the GET method appends the

form data in the URL that processes the form.

• When you enter the email as hello@[Link] to a

URL such as [Link] the result is :
– [Link]

10
 HTTP GET method
• If the form has multiple input elements, the
web browser will append the form inputs to
the URL in the following format:
– [Link]
name1=value1&name2=value2&name3=value3

11
 Get
• GET method information is visible to everyone.
– all variable names and values are displayed in the URL
• GET has limits on the amount of information to
send.
– The limitation is about 2000 characters.

• By GET, it is possible to bookmark the page.

• GET may be used for sending non-sensitive data.

Note: Never use get for sending sensitive

information ex: passwords 12
 Get vs Post
• Both GET and POST create an array.
– e.g. array( key1 => value1, key2 => value2, key3 => value3, ...)).

• Both GET and POST are treated as $_GET and $_POST.

• Both GET AND POST are superglobals:

– which means that they are always accessible, regardless of scope - and
you can access them from any function, class or file without having to
do anything special.

• $_GET is an array of variables passed to the current script via the

URL parameters.

• $_POST is an array of variables passed to the current script via

the HTTP POST method.
13
 HTTP GET or POST
• In general, you should use the GET method when the
form only retrieves data from the server. For example, a
search form that allows users to search for information
should use the GET method.

• When you have a form that causes a change in the

server, you should use the POST method. For example, a
form that allows users to subscribe to a newsletter
should use the POST method.

• Note that both $_POST and $_GET arrays are superglobal

variables. It means that you can access them anywhere in the
script.

14
 Form Handling
• The most important thing is missing which is
validation.

• Validation protects your script from malicious

code.

• SECURITY is very important term.

15
 Form Validation
• Form validation is important to protect your
form from hackers and spammers.

• The [Link] page directly displays the form

data. If malicious hackers intentionally enter
bad data, the page won’t work properly

• For example, if the following JavaScript code is

entered in the name field and the form is
submitted
– <script>alert('Hello');</script>
16
 Form Validation

• Imagine that the script doesn’t just show an

alert but loads the malicious code from
another server to the user’s web browser, the
risk is higher. This type of attack is called
cross-site scripting (XSS) attack.

17
 Form Validation
• Before displaying user input on a webpage,
you should always escape the data.
– htmlspecialchars()

if (isset($_POST['name'], $_POST['email'])) {
$name = htmlspecialchars($_POST['name']);
$email = htmlspecialchars($_POST['email']);
echo "Thanks $name for your subscription.<br>";
echo "Please confirm the email $email.";
} else {
echo 'You need to provide your name and email
address.';}
18
URL encoding

19
 htmlspecialchars()
• The htmlspecialchars() function converts
special characters to HTML entities.

• This means that it will replace HTML

characters like < and > with &lt; and &gt;. This
prevents attackers from exploiting the code by
injecting HTML or Javascript code (Cross-site
Scripting attacks) in forms.

20
 htmlspecialchars()
• [Link]
3E%3Cscript%3Ealert('hacked')%3C/script%3E
• This url will be executed by the server to :
• <script>alert('hacked')</script>

• By htmlspecialchars() function
• <form method="post"
action="test_form.php/&quot;&gt;&lt;script&gt
alert('hacked')&lt;/script&gt;">

21
 Validate E-mail
• The easiest and safest way to check whether
an email address is well-formed is to use PHP's
filter_var() function.

$email = test_input($_POST["email"]);
if (!filter_var($email,
FILTER_VALIDATE_EMAIL)) {
$emailErr = "Invalid email format";
Or by using RegEx
}

$name = test_input($_POST["name"]);
if (!preg_match("/^[a-zA-Z-' ]/",$name)) {
$nameErr = "Only letters and white space
allowed";
} 22
PHP superglobal variables
GLOBAL VARIABLES

23
 Global variables
• GLOBALS is an array of variables that contains the
globals variables.

• Introduced in PHP 4.1.0, and are built-in variables

that are always available in all scopes.

• This simply means that it is available in all scopes

throughout a script.

• There is no need to do global $variable; to access it

within functions or methods.
24
 Global variables
• The PHP superglobal variables are:
– $_POST
– $_GET
– $GLOBALS
– $_SERVER
– $_REQUEST
– $_COOKIE
– $_SESSION

25
 $GLOBALS
• $GLOBALS is a PHP super global variable
which is used to access global variables from
anywhere in the PHP script.

• PHP stores all global variables in an array

called $GLOBALS[index]. The index holds the
name of the variable.

26
<?php
$x = 75;
$y = 25;

function addition() {
$GLOBALS['z'] = $GLOBALS['x'] + $GLOBALS['y'];
}

addition();
echo $z;
?>

Outputs : 100

27
 $_SERVER
• $_SERVER is an array containing information such as headers,
paths, and script locations.

• $_SERVER contains all the environment variables.

• Some elements of $_SERVER:

– 'PHP_SELF'
• The filename of the currently executing script, relative to the document
root.
• Ex:[Link] would be /foo/bar.
• $_SERVER['PHP_SELF'] cannot be trusted since and it’s vulnerable to XSS
attacks.
– 'SERVER_ADDR'
• The IP address of the server under which the current script is executing.

28
 $_SERVER
• 'SERVER_NAME'
– The name of the server host under which the
current script is executing.

• 'SERVER_PROTOCOL'
– Name and revision of the information protocol via
which the page was requested; e.g. 'HTTP/1.0';
• 'REQUEST_METHOD'
– Which request method was used to access the page;
e.g. 'GET', 'POST'.

29
 $_SERVER
• 'HTTP_REFERER'
– The address of the page (if any) which referred the
user agent to the current page.
• 'SCRIPT_NAME'
– Contains the current script's path.

To list all the $_SERVER parameters, simply do:

foreach ($_SERVER as $parm => $value)

echo "$parm = '$value'\n"; 30
31
32
 $_REQUEST
• PHP $_REQUEST is a PHP super global variable
which is used to collect data after submitting
an HTML form.

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// collect value of input field
$name = $_REQUEST['fname'];
if (empty($name)) {
echo "Name is empty";
} else {
echo $name;
}
}
33
?>
 Ref
• [Link]
[Link]

• [Link]
[Link]

34
Any Questions?

35