PHP form > PHP forms tutorial

Handling HTML forms with PHP

» Simple contact form

<html>
<body>

<form action="myform.php" method="post">
<p>Your Name: <input type="text" name="yourname" /><br />
E-mail: <input type="text" name="email" /></p>

<p>Do you like this website?
<input type="radio" name="likeit" value="Yes" checked="checked" /> Yes
<input type="radio" name="likeit" value="No" /> No
<input type="radio" name="likeit" value="Not sure" /> Not sure</p>

<p>Your comments:<br />
<textarea name="comments" rows="10" cols="40"></textarea></p>

<p><input type="submit" value="Send it!"></p>
</form>

</body>
</html>

See the example HTML code above? This is a simple HTML form with two input fields, one radio box group and a text area for comments. Let's say we save this code in a file called "test.html". When submitted data is sent to the "myform.php" file using POST HTTP method.

All variables passed to the current script via the HTTP POST method are stored in associative array $_POST. In other words, in PHP you can access data from each field using $_POST['NAME'], where NAME is the actual field name. If you submit the form above you would have access to a number of $_POST array values inside the myform.php file:

With register_globals activated all form data is automatically stored in variable $name (where name is field name, for example $yourname or $email), but this can lead to various security issues and should be avoided at all cost! This feature is now officially depreciated and disabled by default.

Now, if you wanted to display submitted data you could simply echo all the variables as shown below, but do not! Why? Read further.

<html>
<body>

Your name is: <?php echo $_POST['yourname']; ?><br />
Your e-mail: <?php echo $_POST['email']; ?><br />
<br />

Do you like this website? <?php echo $_POST['likeit']; ?><br />
<br />

Comments:<br />
<?php echo $_POST['comments']; ?>

</body>
</html>

If you saved this code in a file called "myform.php", filled the fields in the test.html form and hit the Submit button, the myform.php output would look something like this:

Your name is: John Doe
Your email: john@doe.com

Do you like this website? Yes

Comments:
This is my comment...

Quite simple, isn't it? But the most important thing is still missing! You need to validate submitted data to protect your script (and thus your website and server) from malicious code.

Let's say you display all data submitted with the form in a HTML file (like a guestbook does for example). Now consider someone types this code instead of his name:

<script>location.href('http://www.SPAM.com')</script>

If this is stored in a HTML file anyone who tried to view it would be redirected to http://www.SPAM.com! And this is the least that can happen! Failure to properly validate input data is the main reason for most vulnerabilities and exploits in PHP scripts. You wouldn't want someone to hack your website, erase all data and upload his/her own "u \/\/3R3 H4><0r3d!" homepage, would you?

Read this tutorial further to learn how to validate form inputs and protect yourself from exploits.

» Copyright notice

© 2008-2024 myPHPform.com. All rights reserved. Copying or redistributing any part of this website without our written permission is expressly forbidden!