Week 7 - PHP Scripting, Sticky Forms, and Data Validation

This week we will cover the topic of processing the input we receive from forms, looking at both get and post methods.

Simple Form Processing - GET

When processing form data from the get method, we see that the data is stored in the querystring. If the data includes special characters, spaces, or other non-alphanumeric characters, they will be altered using a technique called URL-Encoding.

For Example:

I want to run fast
    becomes
I+want+to+run+fast

This does complicate things some, but it is not terrible.

Obtaining the data!

When the get method is used, we can use the built-in function $_GET[] to retrieve the values.
For example:

Using the HTML input:
<input type="textbox" name="personName">
we can use the PHP code:
$name = $_GET['personName'];  // retrieves the value of the input textbox named personName

Another larger example

<?php
    $login   = $_GET['login'];      // retrieves the value from the textbox called login
    $f_Name  = $_GET['firstname'];  // retrieves the value from the textbox called firstname
    $l_Name  = $_GET['lastname'];   // retrieves the value from the textbox called lastname
    $country = $_GET['country'];    // retrieves the value from a dropdown list called country
?>

You can then use the php to output the values back to the output.

CAUTION!: output can be altered by a clever user by simply changing the querystring part of the URL when the get method is used.

POST Method

For the beginning learner, the POST method is realistically no different than the GET method, except that the data is not clearly displayed in the querystring. The post method still provides the data, and it can still be intercepted easily by a skillful hacker, but it is much safer than GET. A good analogy would be that the data is sent inside a sealed envelop rather than just in plain visible text. Ultimately, there is more than that to it, but we will forgo that lesson for a more advanced class later.

From a coding perspective, the only change is that we use the $_POST[] method rather than the $_GET[] method to obtain the values.

Example

HTML Form Code

<form action="./processor.php" method="post" >
    <label>Username: <input type="textbox" name="username" maxlength="16"></label>
    <br>
    <label>Password: <input type="password" name="password" maxlength="12"></label>
    <br>
    <label>Password Again: <input type="password" name="password2" maxlength="12"></label>
    <br>
    <label>First Name: <input type="textbox" name="fname"></label>
    <br>
    <label>Last Name: <input type="textbox" name="lname"></label>
    <br>
    <label>Terms and Conditions: <input type="checkbox" name="agree"> I Agree</label>
</form>

PHP Processing Script

<?php
    $title = "WEBD2201: Sticky Form/Data Validation Example";
    
    include "header.php";
    
    //empty out error and result regardless of method that got you here
    $error = "";
    $result = "";
    
    if($_SERVER["REQUEST_METHOD"] == "GET"){
        
            //default mode when the page loads the first time
            //can be used to make decisions and initialize variables
        
        $num = "";
    }else if($_SERVER["REQUEST_METHOD"] == "POST"){
        //the page got here from submitting the form, let's try to process
        $num = trim($_POST["inputted_number"]); //the name of the input box on the form, white-space removed
        
        //let's do some data validation
        if(!isset($num) || $num == ""){
            //means the user did not enter anything
            $error .= "You must enter something into the text box.";
        }else if(!is_numeric($num)){
            
                //means the user entered something, but not a number
                //give them a detailed message
            
            $error .= "The value entered <u>MUST</u> be a number, you entered: " . $num;
            //empty out the invalid data
            $num = "";
        }
        
        if($error == ""){  //if error is an empty string
            //no errors, do the math
            $result = $num . " squared is " . ($num * $num);
        }else{
            //there were problems, concatenate the TRY AGAIN message
            $error .= "<br/>Please Try Again";
            
        }
        
    }
    
        //NOTE: 
        //the first two echos below show the errors or the result (these are empty the first time the page loads)
        //the third of the following echo'es makes this page self-referring
        //the name of the current file is outputted placed in the action of the form
        //and the fourth of the following echo'es is what makes the form sticky, the
        //number previously entered on the form, is automatically displayed in the value of the text input box
    
?>
<h2><?php echo $result; ?></h2>
<h3><?php echo $error; ?></h3>

<form action="<?php echo $_SERVER['PHP_SELF'];  ?>" method="POST" >
    Enter a number: <input type="text" name="inputted_number" value="<?php echo $num; ?>" size="5" />
    <br/><input type="submit" value="Square the number" />
</form>
<?php
    include "footer.php";
?>