Talk:PHP Form Processing

HTML Forms
Small note about HTML forms: You can use hybrid-methods only if the "method" attribute in the "form" tag is set to "post".
 * Examples
 * action.php

&lt;pre&gt; <?   echo '_GET: '. print_r($_GET, true). "\n". '_POST: '. print_r($_POST, true); ?> &lt;/pre&gt;
 * form1.html - $_GET['getvar'], $_POST['first_name'], and $_POST['last_name'] will be available to action.php.

 First name: 

Last name: 


 * Output

_GET: Array (   [getvar] => getvarvalue )

_POST: Array (   [first_name] => First name:    [last_name] => Last name: )
 * form2.html - $_GET['first_name'] and $_GET['last_name'] will be available to action.php, while $_GET['getvar'] will not be available to said script.

 First name: 

Last name: 


 * Output

_GET: Array (   [first_name] => First name:    [last_name] => Last name: ) --Theraven 21:02, 26 November 2007 (PST)

Dangerous Code
Hi I'm new here and didn't want to edit anyones code, but that code is very dangerous! Hopefully no one is using it. You should add that ALL user submitted data, even $_POST and $_COOKIE values, be ran through a function like $the_var=clean_request($_GET['var']);

function clean_request($req) { $safe_text = wp_specialchars($text, true); return apply_filters('attribute_escape', $safe_text, $text); } -- User:Dreamidol


 * There is nothing "dangerous" about the code in the article. It is presented as a "no frills" explanation of how it works. Besides, the code you have given above is not generic (it is WordPress-specific), and therefore unsuitable. -- Scjessey 11:03, 9 November 2007 (PST)


 * While the code is not dangerous, there is no mention that before using the data outside the script, such as in the file system, database or email - or even in HTML output - it needs to be filtered to minimize vulnerablility to exploits. However since processing forms is not limited to PHP a separate article seems warranted. --Atropos 09:20, 11 November 2007 (PST)


 * Dangerous or not, it is the coder's responsibility to secure his code. --Theraven 21:02, 26 November 2007 (PST)