Form Handling IDIA 618 Fall 2014 Bridget M. Blodgett

HTML Forms Forms are the primary method of gathering and transferring data using HTML You can have the form written in HTML (dropping out of PHP to do so) Or using the <<<_END and _END; commands you can embed it within the PHP

PHP Elements There are a couple of PHP elements specifically meant to deal with forms – $_GET and $_POST we have dealt with already – isset checks to see if the variable has been assigned a value (good for keeping undefined variable errors from appearing)

Hidden Fields Hidden fields are part of the HTML form which pass information to the browser but which aren’t directly viewable by the user Very useful for passing information like session ids, building information entered repeatedly into forms, etc – It’s important to remember that anything in this field is viewable within the HTML source

Input Name/ID Input Type Input Description text A simple text field to input an address of width and size 35. pwpasswordA password field of width and size 35. levelselect Make a select box with five options: Freshman, Sophomore, Junior, Senior, and Graduate. You can set the values for each of the options any way you want to. I used 1, 2, 3, 4, and 5. concentrationradio I made three radio buttons all with the name "concentration" so as to group them. I gave them text labels of "Computer Science" (value="CS"), "Information Science" (value="IS"), and "Information Technology" (value="IT"). Five checkboxes with the names “idia617", “idia618", “idia619" CheckboxI set them so that their value was "true". commentsTextarea I made a textarea with cols=40 and rows=5 with the default text, "Enter any comments you have here." sub_btnsubmitJust a submit button with the value "Submit Data."

Activity Apply the information on the next slide to a simple PHP form It should: – Read the input – Display the submitted options – Contain a SQL query to “send” the options to the database (you don’t actually have to connect to a db)

Sanitizing Input it is a trivial matter for a hacker to use their browser’s View Source feature to extract the form and modify it to provide malicious input – never trust any variable from either the $_GET or $_POST until you have processed it Always make sure to clean up any user input to prevent SQL injection errors – There are many types of escape characters that can execute

PHP Options PHP has a number of options to clean up user input: – mysql_real_escape_string() – stripslashes() – htmlentites() If you don’t want/need any HTML entities being passed: – strip_tags()

Placeholders One way to make a secure code without using the real escape string Predefine a query using ? characters then pass the user generated data to it – This avoids generating queries and directly inserts the information into the database How can we alter the book example from earlier to make use of this?

register_globals A deprecated feature of PHP that would automatically assign the input from a get or post to variables matching the same field name Potential security risk since malicious code can be passed as a get Always make sure to initialize your variables during their declaration