Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction 
2.
Text Fields
3.
Radio Button
4.
Form Element
5.
Security issues
5.1.
How to avoid it?
6.
Frequently Asked Questions
6.1.
What is cross-site scripting?
6.2.
What is $_SERVER["PHP_SELF"]?
6.3.
What is the use of htmlspecialchars() function?
7.
Conclusion
Last Updated: Mar 27, 2024
Easy

PHP Form

Author Akash
0 upvote

Introduction 

Forms are used everywhere in development to store data in the backend. In PHP, form variables defined in the context are linked to the form elements, and a post-action is created to submit the form in the storage. We will first see some elements that use form validation and deal with the security issue.

PHP forms

Let us create a form with the below-mentioned fields

Name Must contain only letter and whitespaces and is required
Email Must be in email format and is required
Profile Link Should be a link
Message No rule
Slot One must be selected

 

Text Fields

The below code illustrates name, email, profile link, message fields as text input. To take multiple text input lines, one can use textarea and specify the lines of rows and columns they need.

Name: <input type="text" name="name">
email : <input type="text" name="email">
profile link: <input type="text" name="website">
Message: <textarea name="message" rows="5" cols="10"></textarea>
You can also try this code with Online PHP Compiler
Run Code

Radio Button

Slot:

<input type="radio" name="slot" value="morning">Morning
<input type="radio" name="slot" value="afternoon">Afternoon
<input type="radio" name="slot" value="evening">Evening
You can also try this code with Online PHP Compiler
Run Code

Form Element

<form method="post" action="<?php echo htmlspecialchars($_SERVER[“PHP_SELF”]);>”>
You can also try this code with Online PHP Compiler
Run Code

Security issues

$_SERVER[“PHP_SELF”]) can be used to push malware codes by the hacker. 

"http://www.test.com/form.php" is translated to <form method=”post” action=”form.php”>.

While a user can even do something like below

http://www.test.com/form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E 

<form method="post" action="test_form.php/"><script>alert('hacked')</script>

The hacker injected an unwanted script into the page. Now he can exploit information from the site. As he gains access, the javascript code injected is capable to scrap out critical information of the user like passwords, files and card information.

How to avoid it?

Using htmlspecialchars($_SERVER[“PHP_SELF]) can handle such attacks. It works by converting quotations,brackets to HTML entities like &quot , &gt, &lt. Now if the hacker tries to inject his script. The code will get converted to HTML.

For example: 

<form method="post" action="form.php/&quot;&gt;&lt;script&gt;alert('hacked')&lt;/script&gt;">

pts into the user’s page to scrap out information or do anything with the inf

Form example:

<!DOCTYPE HTML> 
<html>
<head>
</head>
<body> 

<?php
// we define empty set of variables
$name = $email = $slot = $message = $website = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
 $name = test_input_data($_POST["name"]);
 $email = test_input_data($_POST["email"]);
 $website = test_input_data($_POST["website"]);
 $message = test_input_data($_POST["message"]);
 $slot = test_input_data($_POST["slot"]);
}
// the below functions strips data from HTML //codespaces
function test_input_data($data) {
 $data = trim($data);
 $data = stripslashes($data);
 $data = htmlspecialchars($data);
 return $data;
}
?>

<form method="post" action="<?php echo htmlspecialchars($_SERVER[“PHP_SELF”]);>”>

 Name: <input type="text" name="name">
 E-mail: <input type="text" name="email">
 Profile <input type="text" name="website">
 Message: <textarea name="message" rows="5" cols="20"></textarea>
 <br>
 Slot:
 <input type="radio" name="slot" value="morning">Morning
 <input type="radio" name="slot" value="afternoon">Afternoon
 <hr/>
 <input type="submit" name="submit" value="Submit"> 
</form>
<?php
echo "<h2> Input:</h2>";
echo $name;
echo $email;
echo $Profile;
echo $message;
echo $slot;
?>
</body>
</html>
You can also try this code with Online PHP Compiler
Run Code

 

Form Example

Must Read PHP Projects With Source Code

Frequently Asked Questions

What is cross-site scripting?

It is a security vulnerability in web applications in which the hacker would inject scripts into the user's page to scrap out information or do anything with the information.

What is $_SERVER["PHP_SELF"]?

This variable returns the filename of the current script under execution.

What is the use of htmlspecialchars() function?

The htmlspecialchars() function is an inbuilt PHP function. Certain predefined characters are converted to HTML entities using the htmlspecialchars() function. Some of the examples of predefined characters are " (double quote), ' (single quote), and & (ampersand).

Conclusion

Congratulations on getting through this article, we went through setting up a form for validation and used htmlspecialchars to help eliminate exploits. In the next article, you will see how to create error messages, validations in email and much more. 

You can take a look at our PHP archives section and see many more interesting topics related to it.

 

Live masterclass