Please send questions to
st10@humboldt.edu .
PHP and web forms - part 2
* references: "Learning PHP 5", David Sklar, O'Reilly, Chapter 6
(and a little from Chapter 2)
HTML Tutorial at http://www.w3schools.com/html/html_forms.asp
* a PHP feature convenient when creating a web form using PHP:
a here document
* we've discussed two ways of writing a string:
"Howdy" <- double-quotes method
'Howdy' <- single-quotes method
(but:
<?php
$greeting = "Howdy";
print "$greeting"; // will print out Howdy
print '$greeting'; // will print out $greeting
?>
* a here document is ANOTHER way to write a string:
<<<LABEL
test you want
as much as you want
and variables ARE interpolated (replaces with their values)
LABEL
* everything BETWEEN the <<<LABEL and the ending LABEL
are the contents of the string;
* (note: you choose LABEL --- that's not literally a keyword;)
* traditional/good PHP "style" to write this here document label
in all-uppercase
* the ending LABEL must be on its OWN line;
can't be indented, can only have a semicolon after it (if
it's within a statement, such as a print or echo...
* convenient for boilerplate (such as a bunch of HTML) with
just some PHP variable values inserted...
* example: try_here_doc.php
* adding some more HTML form components...
* reset button -
* to set that form's components to their original values/states
* another <input> component, but the type is "reset"
* can we add this to try_here_doc.php, as a demo? yes, we can;
* perhaps also add it to another_form2.html (to show how, when
reset and a text field had an initial value, it goes BACK to
that initial value, NOT to blank...)
* radio buttons - a set of often-round items where only one can
be chosen
* another component that uses the <input> tag
* type attribute's value: "radio"
* if one of the radion buttons has an attribute checked with
value "checked", that will be the one initially shown as
selected;
* all the radio buttons that are a logical unit should have
the same value for their name attribute;
...and each then has a different value attribute value;
* then, when the form is submitted, the pair sent is the
<radio-button-name>=<selected-button's-value>
* see: try_radio1.html and ice_cream_survey.php
* next: checkboxes
* yet another <input> tag component
* type attribute value: "checkbox"
* name attribute will be the name passed to the server...
* checked attribute of "checked" if you'd like the checkbox
to initially show up as selected/checked
* when submitted, only send name/value pairs for CHECKED
checkboxes, and the values for those is on
* example: try_checkbox1.html and form_echo.php
* now, drop-down box
* done in HTML with a <select> tag (NOT an <input> tag!)
* basic syntax:
<select name="value-of-your-choice">
<option value="value-sent"> what-shows-in-drop-down </option>
<option value="value-sent"> what-shows-in-drop-down </option>
<option value="value-sent" selected="selected">
what-shows-initially-on-top </option>
<option value="value-sent"> what-shows-in-drop-down </option>
...
</select>
* when form is submitted, name sent is the select tag's name attribute
value, and the value sent is the value attribute's value for
the option selected at that point;
* try_select1.html and choc_survey.php
* finally (last in our intro): text area
* it has its own tag: <textarea>
* the name attribute is the usual, the name for this text area;
* rows attribute: how many rows of text are visible
* cols attribute: how many characters of text (across) are visible
* and if you want initial text to appear, you can put it between
the <textarea> and </textarea> (opening and closing tags)
* when submitted, sends the name as the textarea's name, and the
text within the textarea box as its value...
* example: try_textarea1.html, and comments_survey.php
* ...which brings up a problem:
consider try_textarea1.html and comments_survey.php.
comments_survey.php is AWFULLY trusting!!! [or, it WAS, until
we changed it below --- I don't feel comfortable posting the
original version! it simply did:
print $_POST["comments"];
...it just print[ed] out whatever the user sends!!
...and if that happens to include HTML or JavaScript,
the browser might just display it/do it;
* that's cross-site scripting; when the user (for example, in a form)
enters text that is executable and is sent on as the response and
possibly executed;
* (consider: a "guestbook" where users post messages that others
can come to the site and see ---
what if a guest inserts code? next user might be redirected,
or some such mischief;)
* solution? "Learning PHP 5", Sklar, Chapter 6:
"never display unmodified external input"
...don't TRUST that all users are benign... 8-)
* two useful PHP tools for this:
strip_tags($str) - this function returns a string with any
any HTML tags removed from its
argument string $str
htmlentities($str) -this function returns a string with
characters special to HTML
in argument string $str encoded
(replace < with <
> >
& &
" " )
* let's adapt comments_survey.php to do these! [done]
* Another quote from "Learning PHP 5", Sklar, Ch. 6:
"In most applications, you should use htmlentities() to
sanitize external input."
* functions ARE your friend in processing forms in PHP;
(make a validate function, make a handle_form function, etc.!)
* PHP is often used to validate form data, also: here's a few tidbits
in that direction:
* function strlen() lets you test the length of a value;
* you can use this, then, to see if a required text element
has had a value filled in, for example;
* if (strlen($_POST['zip']) == 0)
{
// complaint about the lack of a zip code
}
* note: might be more polite to build a SET of error
messages for a given form, and then show ALL to the user
in some readable fashion as the form response for an
improperly-filled-in-form;
$problems[] = "You must enter a zip";
* functions intval(), floatval(), and strval() can be used to help
see if an integer or a floating point number
has been entered;
* intval($blah) returns the integer inside string $blah, discarding
anything extraneous;
* floatval($blah) retursn the floating point number inside
stringn $blah, discarding anything extraneous;
* strval($blah) converts the cleaned-up number back into a string!
(so comparison with what's in $_POST works as we'd like...!)
* that is,
if ($_POST["quantity"] != strval( intval ($_POST["age"])))
{
// complain about a "funny" value for quantity
}
* what if blanks are involved, possibly?
* function trim() removes leading and trailing whitespace;
* nice combo: is to use this with strlen() to make sure
a field of just blanks is treated as empty...
if (strlen (trim($_POST['last_name'])) == 0)
{
// complain that blanks aren't enough...
}
* what if you'd like to strip the blanks at, say, the beginning
of your processing?
...you can change the value in $_POST or $_GET, and it'll
stay changed throughout your PHP page... (even if you're in
a function within that page) --- $_POST and $_GET are auto-global
$_POST["last_name"] = trim( $_POST["last_name"] );