Thursday, 12 July 2012

PHP POST & GET with Example Tutorial

Recall from the PHP Forms Lesson where we used an HTML form and sent it to a PHP web page for processing. In that lesson we opted to use the the post method for submitting, but we could have also chosen the get method. This lesson will review both transferring methods.
POST - Review
In our PHP Forms Lesson we used the post method. This is what the pertinent line of HTML code looked like:
HTML Code Excerpt:

This HTML code specifies that the form data will be submitted to the "process.php" web page using the POST method. The way that PHP does this is to store all the "posted" values into an associative array called "$_POST". Be sure to take notice the names of the form data names, as they represent the keys in the "$_POST" associative array.
Now that you know about associative arrays, the PHP code from "process.php" should make a litte more sense.
PHP Code Excerpt:
$quantity = $_POST['quantity'];
$item = $_POST['item'];
The form names are used as the keys in the associative array, so be sure that you never have two input items in your HTML form that have the same name. If you do, then you might see some problems arise.
As we mentioned before, the alternative to the post method is get. If we were to change our HTML form to the get method, it would look like this:
HTML Code Excerpt:

The get method is different in that it passes the variables along to the "process.php" web page by appending them onto the end of the URL. The URL, after clicking submit, would have this added on to the end of it:
The question mark "?" tells the browser that the following items are variables. Now that we changed the method of sending information on "order.html", we must change the "process.php" code to use the "$_GET" associative array.
PHP Code Excerpt:
$quantity = $_GET['quantity'];
$item = $_GET['item'];
After changing the array name the script will function properly. Using the get method displays the variable information to your visitor, so be sure you are not sending password information or other sensitive items with the get method. You would not want your visitors seeing something they are not supposed to!
Security Precautions
Whenever you are taking user input and using you need to be sure that the input is safe. If you are going to insert the data into a MySQL database, then you should be sure you have thought about preventing MySQL Injection. If you are going to make a user's input available to the public, then you should think about PHP htmlentities.
PHP htmlentities Function
Whenever you allow your users to submit text to your website, you need to be careful that you don't leave any security holes open for malicious users to exploit. If you are ever going to allow user submitted text to be visible by the public you should consider using the htmlentities function to prevent them from running html code and scripts that may be harmful to your visitors.
PHP - Converting HTML into Entities
The htmlentities function takes a string and returns the same string with HTML converted into HTML entities. For example, the string "'";
//Lets make it safer before we use it
$userInputEntities = htmlentities($userInput);
//Now we can display it
echo $userInputEntities;
The HTML output of the above script would be as follows:
Safe Raw HTML Code:
I am going to hax0r your site, hahaha!
<script type='text/javascript'>
window.location = ''
If we had not used htmlentities to convert any HTML code into safe entities, this is what the raw HTML code would be and it would have redirect a visitor to
Dangerous Raw HTML Code:
I am going to hax0r your site, hahaha!
Those two HTML code examples are what you would see if you were to view source on the web page. However, if you were just viewing the output normally in your browser you would see the following.
Safe Display:
I am going to hax0r your site, hahaha! '
Dangerous Display:
You'd see whatever spammer site that the malicious user had sent you to. Probably some herbal supplement site or weight loss pills would be displayed.
When Would You Use htmlentities?
Anytime you allow users to submit content to your website, that other visitors can see, you should consider removing the ability to let them use HTML. Although this will remove a lot of cool things that your users can do, like making heavily customized content, it will prevent your site from a lot of common attacks. With some custom coding you can just remove specific tags from running, but that is beyond the scope of this lesson.
Just remember, that when allowing users to submit content to your site you are also giving them access to your website. Be sure you take the proper precautions.

No comments:

Post a Comment