Home arrow All Articles arrow Basics & Beginners arrow PHP and HTML Forms
PHP Articles
Basic & Beginners
Advanced
Database
XML, Webservices
Design Patterns
Ajax
All Articles
Main Menu
Home
About PHP Hacks
Links
Contact Us
Search


PHP and HTML Forms PDF Print E-mail
Thursday, 06 July 2006

 Forms have always been one of the quickest and easiest ways to add interactivity to your web site. A form enables you to ask customers if they like your products and casual visitors for comments. PHP can simplify the task of processing webbased forms substantially, by providing a simple mechanism to read user data submitted through a form into PHP variables. Consider the following sample form:

<html>
<head></head>
<body>
  <form action="message.php" method="post">
    Enter your message: <input type="text" name="msg" size="30">
    <input type="submit" value="Send">
  </form>
</body>
</html>


The most critical line in this entire page is the <form> tag:

<form method="post" action="message.php">
...
</form>

As you probably already know, the method attribute of the <form> tag specifies the manner in which form data will be submitted (POST), while the action attribute specifies the name of the server-side script (message.php) that will process the information entered into the form. Here is what message.php looks like:

<?php
  // retrieve form data in a variable
  $input = $_POST['msg'];
 
  // print it
  echo "You said: <i>$input</i>";
?>

 

To see how this works, enter some data into the form (“boo”) and submit it. The form processor should read it and display it back to you (“you said: boo”). Thus, whenever a form is POST-ed to a PHP script, all variable-value pairs within that form automatically become available for use within the script through a special PHP container variable, $_POST. To then access the value of the form variable, use its name inside the $_POST container, as in the previous script. If the form uses GET instead of POST, simply retrieve values from $_GET instead of $_POST. The $_GET and $_POST variables are an array.

We'll study a PHP page that can add, edit, and remove entries from the database.

<html>
<body>
<?php
 
$db = mysql_connect("localhost", "root");
mysql_select_db("mydb",$db);
 
if ($submit) {
 
  // here if no ID then adding else we're editing
  if ($id) {
    $sql = "UPDATE employees SET first='$first',last='$last',address='$address',position='$position' WHERE id=$id";
  } else {
    $sql = "INSERT INTO employees (first,last,address,position) VALUES ('$first','$last','$address','$position')";
  }
 
  // run SQL against the DB
  $result = mysql_query($sql);
  echo "Record updated/edited!<p>";
 
} elseif ($delete) {
 
    // delete a record
    $sql = "DELETE FROM employees WHERE id=$id";    
    $result = mysql_query($sql);
 
    echo "$sql Record deleted!<p>";
 
} else {
  // this part happens if we don't press submit
 
  if (!$id) {
    // print the list if there is not editing
    $result = mysql_query("SELECT * FROM employees",$db);
 
    while ($myrow = mysql_fetch_array($result)) {
      printf("<a href=\"%s?id=%s\">%s %s</a> \n", $PHP_SELF, $myrow["id"], $myrow["first"], $myrow["last"]);
      printf("<a href=\"%s?id=%s&delete=yes\">(DELETE)</a><br>", $PHP_SELF, $myrow["id"]);
    }
  }
 
  ?>
 
  <P>
  <a href="<?php echo $PHP_SELF?>">ADD A RECORD</a>
  <P>
 
  <form method="post" action="<?php echo $PHP_SELF?>">
 
  <?php
 
  if ($id) {
    // editing so select a record
    $sql = "SELECT * FROM employees WHERE id=$id";
    $result = mysql_query($sql);
    $myrow = mysql_fetch_array($result);
 
    $id = $myrow["id"];
    $first = $myrow["first"];
    $last = $myrow["last"];
    $address = $myrow["address"];
    $position = $myrow["position"];
    // print the id for editing
 
  ?>
 
    <input type=hidden name="id" value="<?php echo $id ?>">
 
    <?php
  }
 
  ?>
 
  First name:<input type="Text" name="first" value="<?php echo $first ?>"><br>
  Last name:<input type="Text" name="last" value="<?php echo $last ?>"><br>
  Address:<input type="Text" name="address" value="<?php echo $address ?>"><br>
  Position:<input type="Text" name="position" value="<?php echo $position ?>"><br>
  <input type="Submit" name="submit" value="Enter information">
  </form>
 
<?php
}
?>
 
</body>
</html>

This looks complex, but it really isn't. The script is broken up into three parts. The first if() statement checks to see whether the Submit button has been pressed, and if it has, it checks to see whether the variable $id exists. If doesn't, then we're adding a record. Otherwise, we're editing a record.

Next we check to see whether the variable $delete exists. If it does, we delete a record. Note that with the first if() statement we checked for a variable that came through as a POST, and in this one, the variable would be part of a GET.

Finally, we take the default action that displays the list of employees and the form. Again we check for the existence of the $id variable. If it exists, we query the database to display the relevant record. Otherwise, we display a blank form.

This could be a considered as a very basic form handling technique. In the real world, more complicated form handling techniques get implemented.

Comments
Add NewSearchRSS
Stephen Orr - Bad, bad idea IP:62.254.64.19 | 2006-10-21 10:47:33
Where in the last block of code there do you actually grab the variables from $_POST? Won't work unless register_globals in on.

I know this is only meant to be a basic example, but seriously, this is a major security thing which should be covered at the basic level now.

Additionally, you're not doing any sanitizing (again possibly an advanced technique, but I really don't like the thought of how many SQL injection attacks this DOESN'T prevent).
Only registered users can write comments!
Last Updated ( Thursday, 06 July 2006 )
 
< Prev   Next >
[ Back ]

Syndicate


Login Form





Lost Password?
No account yet? Register
© 2006 PHPHacks.com - Edarta Ltd.