PHP form > PHP forms tutorial
Handling HTML forms with PHP
» Simple contact form
<form action="myform.php" method="post">
<p>Your Name: <input type="text" name="yourname" /><br />
E-mail: <input type="text" name="email" /></p>
<p>Do you like this website?
<input type="radio" name="likeit" value="Yes" checked="checked" /> Yes
<input type="radio" name="likeit" value="No" /> No
<input type="radio" name="likeit" value="Not sure" /> Not sure</p>
<p>Your comments:<br />
<textarea name="comments" rows="10" cols="40"></textarea></p>
<p><input type="submit" value="Send it!"></p>
See the example HTML code above? This is a simple HTML form with
two input fields, one radio box group and a text area for comments. Let's
say we save this code in a file called "test.html".
When submitted data is sent to the "myform.php" file using POST HTTP method.
All variables passed to the current script via the HTTP POST method
are stored in associative array $_POST. In other words,
in PHP you can access data from each field using $_POST['NAME'], where NAME
is the actual field name. If you submit the form above you would have access
to a number of $_POST array values inside the myform.php file:
||Holds value of
||text field "yourname"
||text field "email"
||selected radio box group "likeit"
With register_globals activated all form data is
automatically stored in variable $name (where name is field name, for example
$yourname or $email), but this can lead to various security issues
and should be avoided at all cost! This feature is now officially
depreciated and disabled by default.
Now, if you wanted to display submitted data you could simply echo
all the variables as shown below, but do not! Why? Read further.
Your name is: <?php echo $_POST['yourname']; ?><br />
Your e-mail: <?php echo $_POST['email']; ?><br />
Do you like this website? <?php echo $_POST['likeit']; ?><br />
<?php echo $_POST['comments']; ?>
If you saved this code in a file called "myform.php",
filled the fields in the test.html form and hit the Submit
button, the myform.php output would look something like this:
Your name is: John Doe
Your email: email@example.com
Do you like this website? Yes
This is my comment...
Quite simple, isn't it? But the most important thing is still missing!
You need to validate submitted data
to protect your script (and thus your website and server) from malicious code.
Let's say you display all data submitted with the form
in a HTML file (like a guestbook does for example). Now consider someone types this code instead of
If this is stored in a HTML file anyone who tried to view it would be redirected
to http://www.SPAM.com! And this is the least that can happen!
Failure to properly validate input data is the main reason for most
vulnerabilities and exploits in PHP scripts. You wouldn't want someone
to hack your website, erase all data and upload his/her own "u \/\/3R3 H4><0r3d!"
homepage, would you?
Read this tutorial further to learn how to validate form inputs
and protect yourself from exploits.
» Copyright notice
© 2008-2014 myPHPform.com. All rights reserved. Copying or redistributing
any part of this website without our written permission is expressly