PHP form processing

PHP superglobal variables $_GET and $_POST are used to collect form data (form-data).

PHP - A simple HTML form

The following example shows a simple HTML form that contains two input fields and a submit button:

Example

<html>
<body>
<form action="welcome.php" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
</body>
</html>

Run instance

After the user fills out this form and clicks the submit button, the form data is sent to the PHP file named "welcome.php" for processing. The form data is sent using the HTTP POST method.

To display the submitted data, you can simply output (echo) all variables. The "welcome.php" file is like this:

<html>
<body>
Welcome <?php echo $_POST["name"]; ?><br>
Your email address is: <?php echo $_POST["email"]; ?>
</body>
</html>

Output:

Welcome Bill
Your email address is Bill.Gates@example.com

You can also get the same result using the HTTP GET method:

Example

<html>
<body>
<form action="welcome_get.php" method="get">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
</body>
</html>

Run instance

"welcome_get.php" is like this:

<html>
<body>
Welcome <?php echo $_GET["name"]; ?><br>
Your email address is: <?php echo $_GET["email"]; ?>
</body>
</html>

The code above is simple. However, the most important content is missing. You need to validate the form data to prevent vulnerabilities in the script.

Note:Pay attention to security when handling PHP forms!

This page does not include any form validation code; it only shows how to send and receive form data.

However, the later chapters will explain how to improve the security of PHP forms! Proper security validation for forms is very important for defending against hacker attacks and spam!

GET vs. POST

GET and POST both create arrays (for example, array(key => value, key2 => value2, key3 => value3, ...)). This array contains key/value pairs, where the key is the name of the form control and the value is the input data from the user.

GET and POST are considered as $_GET and $_POST. They are superglobal variables, which means that access to them does not require consideration of scope - without any special code, you can access them from any function, class, or file.

$_GET is an array of variables passed to the current script via URL parameters.

$_POST is an array of variables passed to the current script via HTTP POST.

When to use GET?

Information sent from the form via GET methodVisible to everyone(All variable names and values are displayed in the URL). GET also has a limit on the amount of information sent. The limit is about 2000 characters. However, since the variables are displayed in the URL, it is also more convenient to add the page to bookmarks.

GET can be used to send non-sensitive data.

Note:Never use GET to send passwords or other sensitive information!

When to use POST?

Information sent from the form via POST methodInvisible to othersAll names/values will be embedded in the body of the HTTP request), and there is also a limit on the amount of information sentUnlimited.

Moreover, POST supports advanced features, such as multi-part binary input when uploading files to the server.

However, since the variables are not displayed in the URL, the page cannot be added to bookmarks.

Tip:Developers prefer POST to send form data.

Let's see how to handle PHP forms safely!