PHP Basic Form Handling Tutorial

In this tutorial we learn about basic form handling in PHP with the superglobals $_GET and $_POST, which are used to collect form data.

We also cover when to use get, and when to use post.

Here's a table of contents of what you'll learn in this lesson:
(click on a link to skip to its section)

Let's jump right in.

What is form handling?

PHP provides us with ways to collect and process data coming from HTML forms.

As an example, let’s consider an application that will collect a user’s name and email address.

Example: html form
<html>
<body>

<form action="process.php" method="get">
    Name: <input type="text" name="username"><br>
    Email: <input type="text" name="email"><br><br>
    <input type="submit">
</form>

</body>
</html>

The example above will send the name, and email address that the user enters, to the process.php page to be processed. On the process.php page we can store it in a database, or a physical csv file, etc.

Create a new file in your PHPProjects directory, called process.php. It can be empty for the moment.

Now that the action page exists, we can submit data through the form. View the page in your browser, fill the form fields with some test data, and submit the form.

When we submit the form with some test data, we’re redirected to the process.php page. The page is blank at the moment, but consider the URL in the address bar, specifically everything after the ?

Output: address bar
 http://localhost/PHPProjects/process.php?username=Test&email=test%40testmail.com

Everything after the ? is the data that we send through the form, to the process.php page.

It shows the field name and the value that was entered. The data is only visible in the url when the form method is set to GET. When the form method is set to POST, the data is invisible.

How to $_GET form data

PHP provides us with the superglobal $_GET to get the data sent from the form.

The $_GET superglobal works like an associative array, the field name in the form is the key in the superglobal.

Syntax:
// Form
<form method="get">
    <input name="fieldname">
</form>

// Get
$_GET["fieldname"];
Example: process.php
<?php

echo "Welcome " . $_GET["username"];

?>

When the form is submitted, the process.php page will now display whatever we typed into the username field.

How to $_POST form data

Sensitive form data, such as a password, should not be sent with the get method. We should instead use post, as the data sent is invisible.

Example: html post form
<html>
<body>

<form action="process.php" method="post">
    Name: <input type="text" name="username"><br>
    Email: <input type="text" name="email"><br><br>
    <input type="submit">
</form>

</body>
</html>

If we submit the form data at this point, the data does not show in the address bar.

Accessing post data is the same as accessing get data, except we use the $_POST superglobal.

Syntax:
 $_POST["fieldname"];
Example: get POST data
<?php

echo "Welcome " . $_POST["username"];

?>

$_GET vs $_POST. When to use which

It really depends on the situation and the type of data.

  • $_GET is an array, passed to the action script via URL parameters.
  • $_POST is also an array, but passed to the action script via the HTTP POST method.

They are both superglobals, which means they are accessible in any scope, and we can access them from any file, class or function.

  • GET is used to send non-sensitive data, such as a search term.
  • POST is used to send sensitive, or potentially sensitive data, such as email addresses and passwords.

Get and Post also have their own advantages, and disadvantages.

  • GET has a limit of 2000 characters that can be sent. It also allows us to bookmark the action page.
  • POST has no characters limits and supports advanced functionality. Because the data is not in the url, an action page that receives data via post cannot be bookmarked with that specific data.

Data should be securely validated in any form, this is why most developers prefer to use POST for all their forms.

How to submit a form to its own page

Instead of jumping to a different page, we can submit the form to the page the form is on. To do this, we use the $_SERVER["PHP_SELF"] superglobal.

Example: html form
<html>
<body>

<form method="post" action="<?php echo $_SERVER["PHP_SELF"]; ?>">
    Name: <input type="text" name="username"><br>
    Email: <input type="text" name="email"><br><br>
    <input type="submit">
</form>

</body>
</html>

The interpreter will echo the filename of the current PHP page, and the form sends the submitted data to the page it is currently on.

$_SERVER["PHP_SELF"] can be used by attackers to exploit your application. For that reason, we must use the htmlspecialchars() function.

Example: encoded
<html>
<body>

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
    Name: <input type="text" name="username"><br>
    Email: <input type="text" name="email"><br><br>
    <input type="submit">
</form>

</body>
</html>

The htmlspecialchars() function will replace certain characters to prevent attackers from exploiting the code, by injecting other malicious code.

You may have seen urls with these replaced characters, like %20 etc.

Summary: Points to remember

  • Form handling is done with the $_GET and $_POST superglobal arrays.
  • GET is used for non-sensitive data, such as a search term.
  • POST is used for sensitive data, such as email addresses and passwords.
  • GET data can be seen in the URL, POST data not.
  • We can submit a page to itself with $_SERVER[“PHP_SELF”], but should be encoded to avoid exploitation.