Chapter 7: Working With Forms

Validating the inputs

While the script is running, it can check to see if the values make sense. For example, an American zip code would have 5 digits and maybe a dash followed by 4 digits. A Canadian postal code would have both letters and numbers. But neither one would have any punctuation marks such as semi-colons. Using the string-compare functions, you can check to see if the zip code looks like a zip code. If not, the error message should say something like "Invalid zip code, please enter the correct one."

You can also remove any characters that could be used to cause trouble. For instance, in a TEXTAREA field, you could remove anything that looked like JavaScript. Have the script look for a match on the tag <SCRIPT> that signals the beginning of a block of JavaScript. There might be some unpredictable stuff after the word SCRIPT, and before the angle-bracket (>). Remove anything you find that starts with <SCRIPT and ends with SCRIPT>.

Another way to safeguard the TEXTAREA is to simply remove all the HTML tags. By taking out the <SCRIPT> and </SCRIPT> tags you'll make the JavaScript look like text to the browser and it won't be executed. The strip_tags(text, ignore) function will take care of this and any other tags. You can specify any tags you wish to allow by putting them in the second argument.

Example: $text = strip_tags($text, "<BR>");

Likewise, don't accept an entry for the email address that doesn't "look" like an email address. There's a lot of variety in how email addresses are composed but there are some rules. Take a look at this:

^([A-Za-z_\.]*)@([A-Za-z_]*)\.([A-Za-z_\.]*)$

I know it looks pretty strange so I'll tell you what it is. It's a "Perl-compatible regular expression" (a pattern) that represents the format of an email address. There are a lot of operators and other things in there that are probably unfamiliar but I'll explain them in the next chapter.

Any real email address will match this pattern. PHP can recognize Perl-compatible regular expressions. That's a very good thing. Why? Because it means you can use these patterns to see whether a data item contains just what it should - and/or nothing else. If the comparison fails, you can send back an error message. Here's another approach. Suppose an item does contain stuff you know could be dangerous. You can use the ereg_replace() function to replace it with ... drum roll please ... NOTHING!

Yep, you can just throw away the dangerous stuff altogether without even stopping to send an error message. This can be a much better way, since some users may accidentally - not maliciously - type in something they shouldn't have. You don't even have to let them know about it - or make them correct it. This will make your forms more user-friendly. Of course you could take the item, after you've removed anything you don't want, and check it to see if it still matches the pattern you were expecting.

Tip: If you're considering using a PHP script that somebody else wrote, look for features like this - if it does any form processing. I'm not saying you shouldn't use the script. I'm just saying that somebody needs to add data checking. So who's it going to be? You? Your programmer if you have one? The author of the script? Be sure to test-drive the script and find out if it's safe. Don't use it if it isn't. Insist that any script you buy be at least this secure. It's your web site - and your business that will be at risk.

Sending the data somewhere

A script can catch all these inputs and also the variables that pass between client and server as part of handling the form. Notice that each input has a name given in the form code. These names are what your script will look for among all the data passed to it by the server.

What you should have learned from this chapter is that you can collect data items with a form and send them to a script to be processed in some way. You'll have to give each item a name, so you might as well make the name meaningful. In the form you just looked at, "email" contains the user's email address and "fname" contains their first name. These names are referred to as "keys." During processing by the script, they will end up as key/value pairs. The key will become a variable and be assigned the value that the key picked up from the form.

The keys used in this form are fname, lname, address, city, state, zipcode, country, email, phone, company, fax, quantity1 and adtype.

If - "register_globals" is set to "on" in your system configuration...

PHP automatically extracts the key/value pairs, creates local variables for each one and names them whatever you called them in the form! Do you see how easy that makes things for you? Suppose you have a form input whose name is "email." When your PHP script is called, a variable called $email is created for you. It has whatever value was passed to the script (in this example the value would be the email address a visitor entered on the form). In the script you can simply assume that $email exists - and do whatever you want with it.

But - That is seldom true any more. It's not secure and hackers have found hundreds of ways to exploit this security hole. If you're not sure which way PHP is configured, go run that phpinfo.php I mentioned a while back. But how do you get the variables if they aren't created automatically? Here's how I do it:

$inputs = array("id","type");
foreach ($inputs as $input) {
  $$input = $_POST[$input];
}

I suppose you'll want to know how this works, right? It's pretty straightforward but I'll take it line by line. The first line creates an array and puts the names of all your form fields into it. The second line loops through the array and selects one field name at a time until they are all used. The third line does two things: 1) It creates a local variable with the same name as each form field and 2) Assigns the value (that was entered in the form field) to that new local variable.

You can save this handy little snippet and use it over and over. All you ever need to change is the list (array) of field names - so they match the field names you used in your form. It works because the $_POST array is indexed by the field names (it's an associative array) and the values are the ones the user entered on your form. Now it should make perfect sense to you.

OK. So what can you do with the email address(or any other item you got from the form)? You could save it in a text file or a database to use later. You could send an email message to that address immediately. You could use it to trigger an autoresponder, so the person gets a series of messages on a preset schedule. You could add the person to your newsletter list. You're only limited by your imagination.

Sometimes we need to extract variables that were passed in the query string. Everything after the "?" in a URL is a query string. You've seen a query string in lots of affiliate links; they usually pass the affiliate's ID so the sale can be tracked to the affiliate who sent you to the site. When a script is called by a form, all the name/value pairs are placed in a query string. You can see this in action by performing a search on Google.

All the key/value pairs are in the $QUERY_STRING array. So you can do something similar to what you did to extract the form fields from the $_POST array. This is coded a little differently, though. It's even better than the other code snippet because you nver have to edit anything in it. Just drop it in and it works every time. Here's the code:

$qs = split("&", $_SERVER["QUERY_STRING"]);
foreach ($qs as $input) {
  $temp = split("=", $input);
  $$temp[0] = $temp[1];
}

This code is a little more complex - but not much. First the key/value pairs are separated. Each pair was connected to the last pair by an &, so we can use that to split them up. We store them as string in a list and then loop through that list to deal with each one. Each pair has an = sign between the key and the value. All that's left is to create a variable from the key and assign the value to the variable.

Want to see a really big query string? OK, go to your favorite search engine. Type in some search words. Pick one of the search results and click the link to see that page. Now look at the address bar of your browser. That long weird-looking URL contains a query string. The search script Google used to deliver the results created the URLs for the results. The query strings contain your search terms and other things that Google used to find those web pages.

Copyright © 2004 Steve Humphrey