Approaches to Web Development for Bioinformatics

Medical Computing > Web Development for Bioinformatics > Web Development > PHP > HTML Forms

HTML Forms

It is very easy to get started with HTML forms in PHP because you can mix PHP script in with HTML markup and access form data sent by the browser to the server. In addition, however, data validation needs to be considered to make sure that the user entered data is safe to be displayed to other users and, if necessary, safe to be inserted into a database.

You can access variables sent to the server in HTTP GET requests with the $_GET array and with HTTP POST requests with the $_POST array. You can tell whether the request is a GET or a POST using the $_SERVER['REQUEST_METHOD'] variable. This can be useful in deciding whether to display a form or process it and keeping the code to display and process the form in one file. Here is an example that demonstrates this concept.

PHP

<?php

print('<p>' . $_SERVER['REQUEST_METHOD'] . '</p>');
if ($_SERVER['REQUEST_METHOD'] == 'GET') {

$script = $_SERVER['SCRIPT_NAME'];
?>
<form action="<?php print($script); ?>" method="post">

</form>
<?php

} else {

$userid = $_POST['userid'];
if (isset($userid) && strlen($userid)) {

print('Your user ID is ' . $userid);

} else {

print('Please go back and enter your user id.');

}

In the script, if the request method is GET then the form is displayed. The screen looks like this

The variable $_SERVER['SCRIPT_NAME'] has the name of the present script to avoid hard coding the actual file name in the form action. If the request method is POST then the data is processed. There is a check for whether the user actually entered his or her user ID. First, an isset() check is made. Actually, browsers usually send back an empty string for text inputs so the strlen() check is also performed. The result is shown below for the case where the user did not enter a user ID.

The values sent by browsers to servers in GET and POST request are always considered either strings or arrays of strings. To validate numeric input data the following functions are useful:

ctype_digit() - checks that a string consists entirely of digits
intval() - casts a string to an integer
floatval() - casts a string to a float

intval() and floatval() are quite optimistic in what they treat as a number. For example, intval() converts '5 days' into 5. It is a good idea to convert the integer back into a string and compare it with the original string to make sure that there is no extra text attached to the number. Regular expressions are another option for checking of numeric input data.

Email addresses are a common type of data input that need validation. There are two standards for properly formed email addresses, RFC822⁶⁸ and RFC2822⁶⁹. Cal Henderson has written about this subject⁷⁰ and has sample PHP code that is very handy.

A cross-site scripting attack is where a user enters data that will execute a script when someone else views the data. Consider a user that enters some JavaScript in place of his or her name. Later when some other user views the first user's name the JavaScript is executed. To avoid your site being used for this purpose use the htmlspecialchars() function. This will escape <, >, and &.

Previous Contents Next

References

Contributed Comments and NotesAdd a comment.

There are no user comments.

Please send ideas and opinions by email at alexamies@gmail.com.