Back to Curriculum

Working with Forms

📚 Lesson 6 of 12 ⏱️ 45 min

Working with Forms

45 min

HTML forms are the primary mechanism for collecting user input in web applications. PHP processes form data submitted via GET or POST methods. Understanding how to handle form submissions, validate input, and process data securely is essential for building interactive web applications. Forms enable user registration, login, data entry, search, and many other interactive features that make websites dynamic and useful.

PHP provides superglobal arrays to access form data: `$_GET` (URL parameters and GET form submissions), `$_POST` (POST form submissions), and `$_REQUEST` (combines GET, POST, and COOKIE—use sparingly for security). These arrays are automatically populated by PHP when forms are submitted. The `$_SERVER['REQUEST_METHOD']` superglobal indicates whether the request was GET or POST. Understanding these superglobals helps you access and process form data correctly.

Form validation is crucial for security, data integrity, and user experience. Client-side validation (JavaScript) provides immediate feedback but can be bypassed. Server-side validation (PHP) is essential and cannot be bypassed. Always validate required fields, data types, formats (email, phone, etc.), lengths, and ranges. Sanitize input to prevent XSS attacks using `htmlspecialchars()` or `filter_var()`. Understanding validation helps you build secure, robust applications.

Security considerations include preventing SQL injection (use prepared statements), XSS attacks (escape output), CSRF attacks (use tokens), and ensuring proper authentication and authorization. Never trust user input—always validate and sanitize. Use `filter_var()` and `filter_input()` functions for validation and sanitization. Understanding security best practices helps you build applications that protect user data and prevent attacks.

Form processing typically involves checking if the form was submitted (`$_SERVER['REQUEST_METHOD'] == 'POST'`), validating input, sanitizing data, processing the data (saving to database, sending email, etc.), and providing feedback to users. Error handling should be user-friendly, displaying clear error messages without exposing sensitive information. Success messages should confirm actions and guide users. Understanding form processing flow helps you build intuitive, secure forms.

Best practices include always validating server-side (never rely only on client-side), sanitizing all output to prevent XSS, using prepared statements for database operations, providing clear error messages, preserving user input on validation errors (so users don't have to re-enter), and using HTTPS for sensitive forms. Forms should be accessible, user-friendly, and secure. Understanding form handling enables you to build interactive, secure web applications.

Key Concepts

  • HTML forms collect user input in web applications.
  • PHP superglobals ($_GET, $_POST) access form data.
  • Form validation is essential for security and data integrity.
  • Always validate and sanitize user input to prevent attacks.
  • Server-side validation cannot be bypassed (unlike client-side).

Learning Objectives

Master

  • Processing form submissions with $_GET and $_POST
  • Implementing form validation and sanitization
  • Handling form errors and providing user feedback
  • Understanding security considerations for form processing

Develop

  • Security thinking and input validation awareness
  • Understanding user experience in form design
  • Building secure, user-friendly forms

Tips

  • Always validate server-side—client-side validation can be bypassed.
  • Use filter_var() and filter_input() for validation and sanitization.
  • Escape output with htmlspecialchars() to prevent XSS.
  • Use prepared statements for database operations to prevent SQL injection.

Common Pitfalls

  • Trusting user input without validation, creating security vulnerabilities.
  • Not sanitizing output, allowing XSS attacks.
  • Using $_REQUEST instead of $_GET or $_POST (security risk).
  • Not providing clear error messages, frustrating users.

Summary

  • Forms collect user input via GET or POST methods.
  • PHP superglobals ($_GET, $_POST) access form data.
  • Form validation and sanitization are essential for security.
  • Always validate server-side and sanitize output.
  • Understanding form handling enables interactive web applications.

Exercise

Create a simple registration form with validation and processing.

<!DOCTYPE html>
<html>
<head>
    <title>Registration Form</title>
</head>
<body>
    <?php
    $errors = [];
    $success = false;
    
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        // Get form data
        $name = trim($_POST["name"] ?? "");
        $email = trim($_POST["email"] ?? "");
        $password = $_POST["password"] ?? "";
        $confirm_password = $_POST["confirm_password"] ?? "";
        
        // Validation
        if (empty($name)) {
            $errors[] = "Name is required";
        }
        
        if (empty($email)) {
            $errors[] = "Email is required";
        } elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
            $errors[] = "Invalid email format";
        }
        
        if (empty($password)) {
            $errors[] = "Password is required";
        } elseif (strlen($password) < 6) {
            $errors[] = "Password must be at least 6 characters";
        }
        
        if ($password !== $confirm_password) {
            $errors[] = "Passwords do not match";
        }
        
        // If no errors, process the form
        if (empty($errors)) {
            $success = true;
            // In a real application, you would save to database here
        }
    }
    ?>
    
    <h1>Registration Form</h1>
    
    <?php if ($success): ?>
        <div style="color: green; padding: 10px; border: 1px solid green;">
            Registration successful! Welcome, <?php echo htmlspecialchars($name); ?>!
        </div>
    <?php endif; ?>
    
    <?php if (!empty($errors)): ?>
        <div style="color: red; padding: 10px; border: 1px solid red;">
            <ul>
                <?php foreach ($errors as $error): ?>
                    <li><?php echo htmlspecialchars($error); ?></li>
                <?php endforeach; ?>
            </ul>
        </div>
    <?php endif; ?>
    
    <form method="POST" action="">
        <div>
            <label for="name">Name:</label>
            <input type="text" id="name" name="name" value="<?php echo htmlspecialchars($name ?? ''); ?>" required>
        </div>
        <br>
        <div>
            <label for="email">Email:</label>
            <input type="email" id="email" name="email" value="<?php echo htmlspecialchars($email ?? ''); ?>" required>
        </div>
        <br>
        <div>
            <label for="password">Password:</label>
            <input type="password" id="password" name="password" required>
        </div>
        <br>
        <div>
            <label for="confirm_password">Confirm Password:</label>
            <input type="password" id="confirm_password" name="confirm_password" required>
        </div>
        <br>
        <button type="submit">Register</button>
    </form>
</body>
</html>

Code Editor

Output