Handling Form Data and Security in PHP
Accessing Form Data in PHP
PHP provides several superglobal arrays to retrieve data from HTTP requests, cookies, and other sources.
Using $_GET for GET Requests
When a form is submitted with the GET method, data is appended to the URL as query praameters. Use the $_GET array to access this data.
HTML Form Example:
<!DOCTYPE html>
<html>
<head>
<title>User Registration</title>
</head>
<body>
<h2>Register User</h2>
<form action="process_get.php" method="get">
<label>User Name:</label>
<input type="text" name="user_name" required>
<br>
<input type="submit" value="Submit">
</form>
</body>
</html>
PHP Processing Script (process_get.php):
<?php
$userName = $_GET['user_name'];
echo "User Name: " . $userName;
?>
Using $_POST for POST Requests
For forms submitted with the POST method, data is sent in the request body. Access it via the $_POST array.
HTML Form Example:
<!DOCTYPE html>
<html>
<head>
<title>User Registration</title>
</head>
<body>
<h2>Register User</h2>
<form action="process_post.php" method="post">
<label>User Name:</label>
<input type="text" name="user_name" required>
<br>
<input type="submit" value="Submit">
</form>
</body>
</html>
PHP Processing Script (process_post.php):
<?php
$userName = $_POST['user_name'];
echo "User Name: " . $userName;
?>
Using $_COOKIE for Cookie Data
Cookies store data on the client side. Use setcookie() to set a cookie and $_COOKIE to retrieve it.
HTML Form to Set Cookie:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Set User Name</title>
</head>
<body>
<h3>Set User Name</h3>
<form action="set_cookie.php" method="post">
<label for="user_name">User Name:</label>
<input type="text" id="user_name" name="user_name">
<input type="submit" value="Submit">
</form>
</body>
</html>
PHP Script to Set and Retrieve Cookie (set_cookie.php):
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (isset($_POST['user_name'])) {
$userName = $_POST['user_name'];
setcookie("user_name", $userName, time() + 3600);
$cookieValue = $_COOKIE["user_name"];
echo "Welcome, " . $cookieValue . "!";
}
}
?>
Using $_REQUEST for Combined Data
The $_REQUEST array merges data from $_GET, $_POST, and $_COOKIE. It can be used to access data regardless of the submission method.
HTML Form Example:
<!DOCTYPE html>
<html>
<head>
<title>User Registration</title>
</head>
<body>
<h2>Register User</h2>
<form action="process_request.php" method="post">
<label>User Name:</label>
<input type="text" name="user_name" required>
<br>
<input type="submit" value="Submit">
</form>
<a href="process_request.php?user_name=John+Doe">Direct Access</a>
</body>
</html>
PHP Processing Script (process_request.php):
<?php
if (isset($_GET['user_name'])) {
$userName = $_GET['user_name'];
}
if (isset($_POST['user_name'])) {
$userName = $_POST['user_name'];
}
if (isset($_COOKIE['user_name'])) {
$userName = $_COOKIE['user_name'];
}
echo "User Name: " . $userName;
?>
Distinguishing Between isset($_POST) and $_SERVER["REQUEST_METHOD"]
isset($_POST['field_name']) checks if a specific field exists in the $_POST array, indicating that the field was submitted via POST. $_SERVER["REQUEST_METHOD"] returns the HTTP method of the current request (e.g., GET, POST). Use $_SERVER["REQUEST_METHOD"] == "POST" to restrict processing to POST requests.
Preventing SQL Injection
Directly embedding user input into SQL queries can lead to security vulnerabilities. Use prepared statements to mitigate SQL injection risks.
Vulnerable Example:
<?php
$userName = $_REQUEST['uname'];
$passWord = $_REQUEST['pwd'];
if ($userName != '' && $passWord != '') {
$connection = mysqli_connect("localhost", "root", "root", "php");
$query = "SELECT * FROM admin WHERE username = '" . $userName . "' AND password = '" . $passWord . "'";
echo $query;
$result = mysqli_query($connection, $query);
$row = mysqli_fetch_array($result);
echo "Your password is: " . $row['password'];
if ($userName == $row['username']) {
echo 'Login successful';
}
mysqli_close($connection);
} else {
echo 'Invalid credentials';
}
?>
Secure Example Using Prepared Statements:
<?php
$userName = $_REQUEST['uname'];
$passWord = $_REQUEST['pwd'];
if ($userName != '' && $passWord != '') {
$connection = mysqli_connect("localhost", "root", "root", "php");
$stmt = mysqli_prepare($connection, "SELECT * FROM admin WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($stmt, "ss", $userName, $passWord);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_array($result);
if ($row) {
echo "Your password is: " . $row['password'];
echo 'Login successful';
} else {
echo 'Invalid credentials';
}
mysqli_stmt_close($stmt);
mysqli_close($connection);
} else {
echo 'Invalid credentials';
}
?>
