Talk:PHP Form Processing

From DreamHost

Jump to: navigation, search

HTML Forms

Small note about HTML forms: You can use hybrid-methods only if the "method" attribute in the "form" tag is set to "post".

Examples
action.php 
<pre>
<?
    echo '_GET: ' . print_r($_GET, true) . "\n" .
    '_POST: ' . print_r($_POST, true);
?>
</pre>
form1.html - $_GET['getvar'], $_POST['first_name'], and $_POST['last_name'] will be available to action.php. 
<form method="post" action="action.php?getvar=getvarvalue">
    First name: <input type="text" name="first_name" value="First name:"/><br />
    Last name: <input type="text" name="last_name" value="Last name:"/><br />
    <input type="submit" value="Submit Form" />
</form>
Output 
_GET: Array
(
    [getvar] => getvarvalue
)

_POST: Array
(
    [first_name] => First name:
    [last_name] => Last name:
)
form2.html - $_GET['first_name'] and $_GET['last_name'] will be available to action.php, while $_GET['getvar'] will not be available to said script. 
<form method="get" action="action.php?getvar=getvarvalue">
    First name: <input type="text" name="first_name" value="First name:"/><br />
    Last name: <input type="text" name="last_name" value="Last name:"/><br />
    <input type="submit" value="Submit Form" />
</form>
Output 
_GET: Array
(
    [first_name] => First name:
    [last_name] => Last name:
)

--Theraven 21:02, 26 November 2007 (PST)

Dangerous Code

Hi I'm new here and didn't want to edit anyones code, but that code is very dangerous! Hopefully no one is using it. You should add that ALL user submitted data, even $_POST and $_COOKIE values, be ran through a function like 
$the_var=clean_request($_GET['var']);
function clean_request($req)
{
 $safe_text = wp_specialchars($text, true);
 return apply_filters('attribute_escape', $safe_text, $text); 
}

-- User:Dreamidol

There is nothing "dangerous" about the code in the article. It is presented as a "no frills" explanation of how it works. Besides, the code you have given above is not generic (it is WordPress-specific), and therefore unsuitable. -- Scjessey 11:03, 9 November 2007 (PST)
While the code is not dangerous, there is no mention that before using the data outside the script, such as in the file system, database or email - or even in HTML output - it needs to be filtered to minimize vulnerablility to exploits. However since processing forms is not limited to PHP a separate article seems warranted. --Atropos 09:20, 11 November 2007 (PST)
Dangerous or not, it is the coder's responsibility to secure his code. --Theraven 21:02, 26 November 2007 (PST)
Retrieved from "http://wiki.dreamhost.com/Talk:PHP_Form_Processing"
Personal tools