PHP Form

Radio Button

Slot:

<input type="radio" name="slot" value="morning">Morning
<input type="radio" name="slot" value="afternoon">Afternoon
<input type="radio" name="slot" value="evening">Evening

Form Element

<form method="post" action="<?php echo htmlspecialchars($_SERVER[“PHP_SELF”]);>”>

Security issues

$_SERVER[“PHP_SELF”]) can be used to push malware codes by the hacker. 

"http://www.test.com/form.php" is translated to <form method=”post” action=”form.php”>.

While a user can even do something like below

http://www.test.com/form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E 

<form method="post" action="test_form.php/"><script>alert('hacked')</script>

The hacker injected an unwanted script into the page. Now he can exploit information from the site. As he gains access, the javascript code injected is capable to scrap out critical information of the user like passwords, files and card information.

How to avoid it?

Using htmlspecialchars($_SERVER[“PHP_SELF]) can handle such attacks. It works by converting quotations,brackets to HTML entities like &quot , &gt, &lt. Now if the hacker tries to inject his script. The code will get converted to HTML.

For example: 

<form method="post" action="form.php/&quot;&gt;&lt;script&gt;alert('hacked')&lt;/script&gt;">

pts into the user’s page to scrap out information or do anything with the inf

Form example:

<!DOCTYPE HTML> 
<html>
<head>
</head>
<body> 

<?php
// we define empty set of variables
$name = $email = $slot = $message = $website = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
 $name = test_input_data($_POST["name"]);
 $email = test_input_data($_POST["email"]);
 $website = test_input_data($_POST["website"]);
 $message = test_input_data($_POST["message"]);
 $slot = test_input_data($_POST["slot"]);
}
// the below functions strips data from HTML //codespaces
function test_input_data($data) {
 $data = trim($data);
 $data = stripslashes($data);
 $data = htmlspecialchars($data);
 return $data;
}
?>

<form method="post" action="<?php echo htmlspecialchars($_SERVER[“PHP_SELF”]);>”>

 Name: <input type="text" name="name">
 E-mail: <input type="text" name="email">
 Profile <input type="text" name="website">
 Message: <textarea name="message" rows="5" cols="20"></textarea>
 <br>
 Slot:
 <input type="radio" name="slot" value="morning">Morning
 <input type="radio" name="slot" value="afternoon">Afternoon
 <hr/>
 <input type="submit" name="submit" value="Submit"> 
</form>
<?php
echo "<h2> Input:</h2>";
echo $name;
echo $email;
echo $Profile;
echo $message;
echo $slot;
?>
</body>
</html>

Must Read PHP Projects With Source Code

PHP Get Form

The GET method is used to send form data via the URL, making it visible in the browser’s address bar. It is generally used for retrieving data or when the form submission does not involve sensitive information. Parameters are appended to the URL in a query string.

Example:

<form method="get" action="process.php">
    <input type="text" name="username">
    <input type="submit" value="Submit">
</form>

In this example, the form data is sent via the URL, such as process.php?username=value.

PHP Post Form

The POST method is used to send form data to the server in the body of the HTTP request, making it invisible in the URL. It is more secure than GET and is typically used for submitting sensitive data such as passwords or large amounts of data.

Example:

<form method="post" action="process.php">
    <input type="text" name="username">
    <input type="submit" value="Submit">
</form>

In this example, the form data is sent to process.php but is not visible in the URL. The data can be accessed using $_POST in PHP.

Frequently Asked Questions

What is $_POST PHP form?

$_POST is a PHP superglobal array used to collect form data sent via the POST method. It allows secure data submission without displaying it in the URL.

What is $_GET and $_POST in PHP?

$_GET retrieves form data sent via the GET method (visible in the URL), while $_POST retrieves data sent via the POST method (hidden in the request body).

What is $_COOKIE in PHP?

$_COOKIE is a PHP superglobal array that stores data sent by the client’s browser via cookies. It allows data to persist between requests.

Conclusion

We went through setting up a form for validation and used htmlspecialchars to help eliminate exploits. In the next article, you will see how to create error messages, validations in email and much more. 

You can take a look at our PHP archives section and see many more interesting topics related to it.