PHP form learning form input and verification

In the previous article, I brought you "How to set and obtain PDO attributes in PHP database learning?" ", which introduces in detail the relevant knowledge of how to set and obtain PDO attributes in PHP. In this article, we will take a look at the related issues of PHP forms. I hope it will be helpful to everyone!

In the previous article we have already understood the basics of PHP, including the $_GET and $_POST variables, They are used to retrieve information in forms. The knowledge points that need our attention are PHP form user input and form validation. Then let's take a look at the related knowledge of form input and form validation in PHP.

PHP forms and user input

To understand PHP forms and user input, first we need to understand what It's a form. To be precise, a Web form is an interactive platform, and its main function is to provide an interactive platform between viewers and the website. Forms are mainly used in web pages to send data to the server.

For example, the form used when registering information needs to be submitted when you fill in the information. Submission at this time is to transfer the content on the form when you register from the client browser to the server, and then through PHP After the program is processed, the information required by the user is passed back to the client browser. By obtaining the user's information, PHP and the Web form can interact. It just provides such an interactive platform.

Next, let’s take a look at the form through an example. The example is as follows:

<!DOCTYPE html>
 <html lang="en">
 <head>
     <meta charset="UTF-8">
     <title>PHP中文网</title>
 </head>
 <body>
 
 <form action="form.php" method="post">
     名字: <input type="text" name="fname"><br>
     年龄: <input type="text" name="age"><br>
     <input type="submit" value="提交">
 </form>
 
 </body>
 </html>

What we need to pay attention to is that the form belongs to HTML. For more related knowledge, you can click "HTMLTutorial" to study, the running results of the above example:

This is what we call the form, then we are in it Where will the filled-in information, that is, the form information be sent? When we click submit, the data in the form will be sent to the form.php page in the form of POST.

<?php
 header("Content-type:text/html;charset=utf-8");    //设置编码
 echo "欢迎你：".$_POST["fname"] ."<br/>";
 echo "你的年龄是：".$_POST[&#39;age&#39;];
 ?>

The running results we send to from.php are as follows:

When the user input is completed, the form needs to be verified at this time Now, user input should be validated via client-side script whenever possible. Browser validation is faster and reduces the load on the server.

If user input needs to be inserted into the database, you should consider using server validation. A good way to validate a form on the server is to pass the form to itself, rather than jumping to a different page. This way users can get error messages on the same form page. It will be easier for users to find errors. So let’s take a look at the related knowledge of form validation.

PHP Form Validation

We need to consider security when processing PHP forms. We will demonstrate the secure processing of PHP form data. In order to prevent hackers and spam, we need to perform data security verification on the form. Next, let's take a look at the required and optional text fields, radio buttons, and submit buttons in the form through examples.

The example is as follows:

<!DOCTYPE HTML>
 <html>
 <head>
     <meta charset="utf-8">
     <title>PHP.cn</title>
 </head>
 <body>
 <h2>PHP 表单验证实例</h2>
 <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> 
    名字: <input type="text" name="name" value="">
     <br>
     E-mail: <input type="text" name="email" value="">
     <br>
     网址: <input type="text" name="website" value="">
     <br>
     备注: <textarea name="comment" rows="5" cols="40"></textarea>
     <br>
     性别:
     <input type="radio" name="gender"  value="female">女
     <input type="radio" name="gender"  value="male">男
     <br>
     <input type="submit" name="submit" value="提交">
 </form>
 </body>
 </html>

Output result:

What we need to pay attention to is that the different fields are Different validation rules, the validation rules for different fields in the above example are as follows:

The validation rules for names are required and can only contain letters and spaces. The E-mail validation rule is required, which must be a valid email address (containing '@' and '.'). The URL validation rule is optional, and if present, it must contain a valid URL. Validation rules for notes are optional, multi-line input fields. A gender validation rule is required and one must be selected.

Let’s take a look at the knowledge used in the above example:

<span style="font-size: 16px;"><strong>$_SERVER["PHP_SELF"] </strong></span> Variable

$_SERVER["PHP_SELF"] is a super global variable that returns the file name of the currently executing script. Therefore, $_SERVER["PHP_SELF"] sends the form data to the page itself instead of jumping to another page. In this way, users can get error message information on the form page.

<strong><span style="font-size: 16px;">htmlspecialchars()</span></strong>## Function

htmlspecialchars() 函数把特殊字符转换为 HTML 实体。这意味着 之类的 HTML 字符会被替换为 92d33664ec5f827b86e068a341370a86 。这样可防止攻击者通过在表单中注入 HTML 或 JavaScript 代码（跨站点脚本攻击）对代码进行利用。

其中我们需要注意的是：

$_SERVER["PHP_SELF"] 变量能够被黑客利用，如何避免 $_SERVER["PHP_SELF"] 被利用?

$_SERVER["PHP_SELF"] 可以通过 htmlspecialchars() 函数来避免被利用。

form 代码如下所示：

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

htmlspecialchars() 把一些预定义的字符转换为 HTML 实体。现在如果用户想利用 PHP_SELF 变量, 结果将输出如下所示：

<form method="post" action="test_form.php/"><script>alert(&#39;hacked&#39;)</script>">

尝试该漏洞失败！

通过PHP验证表单数据

我们要做的第一件事是通过 PHP 的 htmlspecialchars() 函数传递所有变量。在用户提交该表单时，我们还要做两件事：

首先通过 PHP trim() 函数去除用户输入数据中不必要的字符，比如多余的空格、制表符、换行等，然后通过 PHP stripslashes() 函数删除用户输入数据中的反斜杠（\）。接下来我们创建一个检查函数，我们把函数命名为 test_input()。最后我们能够通过 test_input() 函数检查每个 $_POST 变量。

我们将验证程序可以放到上述示例中去，示例如下：

 
 
     
     
 

 
 
 
 
 
PHP 表单验证实例
 <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
     名字: 
     


     E-mail: 
     


     网址: 
     


     备注: 
     


     性别:
     女
     男
     


     
 
 
 您输入的内容是:";
 echo $name;
 echo "
";
 echo $email;
 echo "
";
 echo $website;
 echo "
";
 echo $comment;
 echo "
";
 echo $gender;
 ?>
 
 

输出结果：

其中我们需要注意的是：

我们在执行以上脚本时，会通过$_SERVER["REQUEST_METHOD"]来检测表单是否被提交 。如果 REQUEST_METHOD 是 POST, 表单将被提交 - 数据将被验证。如果表单未提交将跳过验证并显示空白。在以上实例中使用输入项都是可选的，即使用户不输入任何数据也可以正常显示。

大家如果感兴趣的话，可以点击《PHP视频教程》进行更多关于PHP知识的学习。

The above is the detailed content of PHP form learning form input and verification. For more information, please follow other related articles on the PHP Chinese website!