1 April 06
Beginner PHP Tutorial 8: Obtaining input from forms
In this tutorial I will hopefully help you understand what POST and GET are and how to capture data from both types. This tutorial assumes that register_globals is disabled (if it’s enabled, turn it off now -> it’s a massive security risk). I will also explain magic_quotes_gpc, its effects on incoming data and how to remove its effect. Ok? Let’s go!
GET
If you have ever seen a url which looks like index.php?action=save you will notice there is a question mark. What follows this question mark is GET data, which is sent from the browser to the server. Each equal sign represents variable and values. So in our url the GET variable action is equal to the value save. Simple, eh? You can have multiple variables like so: index.php?action=save&id=52.
POST
GET has its limits, as urls have length limits. It is also dangerous to use GET for user details, since a password could be in plain text in the url. Other people could then see this, or the user could copy the url and send it to someone, with the password remaining attached to it. POST doesn’t place these variables in the url but instead transfers them as a header. If you don’t understand, it is suffice to say that POST uses a different method, which can carry much more data.
Which is better?
There is no better method, they each apply better to different scenarios. So if a user entered lots of data or a password POST would be a obvious choice. However, if a site has products with id’s then a single product could be selected by using index.php?id=83. You could use POST for this, but if the user wished to pass the url to someone else and remain on the same url, then GET is more effective.
Great, so how do I use this in php?
Firstly, you will need both a POST and a GET form. I don’t like delving into html too much in my tutorials but here is a relatively simple GET form:
<form method="get" target="submit.php">
<input type="text" name="var" />
<input type="submit" value="Submit" />
</form>
and a similar POST form:
<form method="post" target="submit.php">
<input type="text" name="var" />
<input type="submit" value="Submit" />
</form>
As you can see all I need to do is change the form attribute method to get or post. I am hoping that you understand the rest of the code displayed here. So if a user filled in the text field and pressed submit they would be directed to submit.php. In the case of GET the url would look something like submit.php?var=TEST, TEST being what the user enters.
So, now we’re in php and we need to obtain this data…simple! There are two global arrays: $_POST and $_GET. By global I mean that they can be accessed anywhere (in functions as well as in the normal script) without requiring any extra work. In order to access the data from the form we would use $_GET[‘var’] or $_POST[‘var’]. It’s really that easy, just use the name of the input field as the key in the $_POST or $_GET array.
Magic Quotes GPC
Wow, all works great. Wait, what’s all these nasty backslashes for?? Welcome to the effects of magic_quotes_gpc. This is supposed to be some sort of security feature but it is ineffective. It simply “escapes” all single and double quotes in incoming data. By escaping it adds a backslash before the double or single quotes (and also before other backslashes to prevent errors when stripping the slashes). The idea is to prevent the bad guys messing with your database when php connects to it. Let’s worry about that later when I tell the proper method, for now we just need to turn it off.
Unfortunately, you can’t just turn it off unless you have access to php.ini, which is…unlikely at best. We can remove the effects when our script begins though. First, we must actually detect whether it is on or not, or we could cause ourselves some problems. Simply use the function get_magic_quotes_gpc() in an if function to detect this. The effects can then be removed by messing with the $_POST and $_GET arrays if the feature is enabled. Here is some working code:
if(get_magic_quotes_gpc()){
foreach($_POST as $name => $value){
$_POST[$name] = stripslashes($value);
}
foreach($_GET as $name => $value){
$_GET[$name] = stripslashes($value);
}
}
This will remove the effect if there is any effect.
So hopefully you now understand GET and POST and how to receive them with php. If you don’t try and re-read this tutorial. Still confused? Feel free to email me and I will try to help out as much as I can.