Forms are the gateway for data input on the web. They allow users to submit information (like a name, email, or comment) to your server. PHP is used to process this submitted data securely and effectively.
1. The HTML Form Structure
Every form requires two essential parts in the HTML structure:
- The
<form>tag, which wraps all input fields. - The Input Fields (like
<input type="text">,<textarea>,<select>).
The two most critical attributes of the <form> tag are:
| Attribute | Purpose |
action | Specifies the URL (the PHP script) that will process the form data when it is submitted. |
method | Specifies the HTTP method used to send the data (most commonly POST or GET). |
Example Form Structure:
HTML
<form action="welcome.php" method="post">
<label for="username">Name:</label>
<input type="text" id="username" name="username"><br><br>
<input type="submit" value="Submit Data">
</form>
2. Form Methods: GET vs. POST
The method attribute dictates how form data is packaged and sent to the server.
| Method | Description | When to Use |
GET | Appends form data to the URL as query strings (e.g., process.php?name=Bob). Insecure and has a data limit. | Used for non-sensitive data, like simple searches or filtering, where the state needs to be bookmarkable. |
POST | Sends form data inside the body of the HTTP request. Secure and has no data limit. | Used for submitting sensitive data (passwords, emails) or large amounts of data (file uploads). Always use POST for database writes. |
3. Accessing User Input in PHP
PHP provides two special, built-in Superglobal Variables to access data sent via forms:
$_POST: An associative array that holds data sent via the POST method.$_GET: An associative array that holds data sent via the GET method.
The key used in these arrays is the name attribute of the corresponding HTML input field.
Example (Using POST):
If a user types “John Doe” into the field named username and submits the form, you access it like this:
PHP
<?php
// Assume this is the 'welcome.php' script
// Check if data was sent via POST method
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// 1. Retrieve the data using the field's name attribute
$user_name = $_POST['username'];
// 2. Process the data
echo "Thank you for registering, " . $user_name . "!";
}
?>
4. Basic Form Validation and Security
NEVER trust user input. It must always be validated and sanitized before being used in a database or displayed back to the user to prevent security vulnerabilities like Cross-Site Scripting (XSS).
Checking if Data Exists (isset())
Before accessing a Superglobal variable, you should check if the field exists using the isset() function.
PHP
<?php
if (isset($_POST['username'])) {
// Only run the processing code if the 'username' field was actually submitted
$user_name = $_POST['username'];
}
?>
Sanitizing Data (htmlspecialchars())
To prevent XSS, use htmlspecialchars() when displaying user input back to the browser. It converts special HTML characters (like < and >) into their harmless HTML entity equivalents (< and >).
Example:
PHP
<?php
// The user might enter: <script>alert('Hacked')</script>
$unsafe_input = $_POST['comment'];
// Sanitize the input before displaying it
$safe_input = htmlspecialchars($unsafe_input);
echo "Your comment: " . $safe_input; // Outputs harmless text
?>
Next Steps
Handling forms is the key to interactivity. The next chapter will cover “PHP Sessions and Cookies,” which are essential for maintaining user identity and state across multiple pages (like keeping a user logged in or tracking items in a shopping cart).
