PHP Form Handling – Step-by-Step Guide

What is PHP Form Handling?

Form handling in PHP refers to the process of collecting user input from an HTML form, processing it, and displaying or storing it.

Common Uses:

  • User registration & login forms
  • Contact forms
  • Feedback and surveys
  • Search forms

HTML Form Basics

Before handling form data, we need to create an HTML form:

<form action="process.php" method="POST">
    <label for="name">Name:</label>
    <input type="text" name="name" required>
    
    <label for="email">Email:</label>
    <input type="email" name="email" required>

    <input type="submit" value="Submit">
</form>

method="POST" → Sends form data securely.
action="process.php" → Sends data to process.php for handling.
required attribute → Ensures fields are not empty.

Handling Form Data with PHP ($_POST & $_GET)

Using $_POST Method (Recommended for Security)

$_POST is used for sending data securely (hidden in HTTP requests).

Example: process.php (Handling Form Data)

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $name = $_POST["name"];
    $email = $_POST["email"];

    echo "Name: " . htmlspecialchars($name) . "<br>";
    echo "Email: " . htmlspecialchars($email);
}
?>

Why use htmlspecialchars()?

  • Prevents Cross-Site Scripting (XSS) attacks.
  • Converts special characters like <script> into safe text.

Using $_GET Method (Data Visible in URL)

$_GET is used when you want data to be visible in the URL (e.g., search queries).

Example: Sending data via URL

<form action="process.php" method="GET">
    <input type="text" name="query">
    <input type="submit" value="Search">
</form>

Example: Receiving $_GET data

<?php
if (isset($_GET["query"])) {
    echo "Search term: " . htmlspecialchars($_GET["query"]);
}
?>

Warning: Avoid using $_GET for sensitive data like passwords.

Validating User Input (Best Practices)

Check if fields are empty

 

if (empty($_POST[“name”])) {
echo “Name is required.”;
}

 Validate email format

 

if (!filter_var($_POST[“email”], FILTER_VALIDATE_EMAIL)) {
echo “Invalid email format.”;
}

 Use trim() to remove spaces

 

$name = trim($_POST[“name”]);

 Allow only specific characters (e.g., names should not contain numbers)

if (!preg_match("/^[a-zA-Z ]*$/", $name)) {
    echo "Only letters and spaces allowed.";
}

Preventing Security Threats

Prevent XSS (Cross-Site Scripting)
Use htmlspecialchars() to escape HTML tags.

$name = htmlspecialchars($_POST["name"]);

Prevent SQL Injection (if storing in a database)
Use prepared statements with PDO or MySQLi.

$stmt = $pdo->prepare("INSERT INTO users (name, email) VALUES (?, ?)");
$stmt->execute([$name, $email]);

 Validate CSRF Tokens (Preventing Cross-Site Request Forgery)

session_start();
if ($_POST["csrf_token"] !== $_SESSION["csrf_token"]) {
    die("Invalid CSRF token");
}

Displaying Form Data (Using PHP & HTML Together)

<?php
$name = isset($_POST["name"]) ? htmlspecialchars($_POST["name"]) : "";
$email = isset($_POST["email"]) ? htmlspecialchars($_POST["email"]) : "";
?>

<form method="POST">
    <label>Name:</label>
    <input type="text" name="name" value="<?php echo $name; ?>">
    
    <label>Email:</label>
    <input type="email" name="email" value="<?php echo $email; ?>">

    <input type="submit" value="Submit">
</form>

Why is this useful?

  • If there’s an error, the user doesn’t have to re-enter data.

Redirecting After Form Submission

Avoid form resubmission issues by using header():

header("Location: success.php");
exit();

Storing Form Data in a Database

Step 1: Connect to a Database

$pdo = new PDO("mysql:host=localhost;dbname=testdb", "username", "password");

Step 2: Insert Data Securely

$stmt = $pdo->prepare("INSERT INTO users (name, email) VALUES (?, ?)");
$stmt->execute([$_POST["name"], $_POST["email"]]);

Always use prepared statements to prevent SQL injection.

Sending Form Data via Email

$to = "admin@example.com";
$subject = "New Form Submission";
$message = "Name: " . $_POST["name"] . "\nEmail: " . $_POST["email"];
$headers = "From: noreply@example.com";

mail($to, $subject, $message, $headers);

Summary: PHP Form Handling Best Practices

Use $_POST for sensitive data (e.g., passwords).
Use $_GET for search queries and navigation.
Validate and sanitize input to prevent security risks.
Use prepared statements for database interactions.
Prevent XSS and CSRF attacks with htmlspecialchars() and tokens.
Redirect users after form submission to prevent duplicate entries.

Read More

Blog

How to Create Database in MySQL

  • By admin
  • November 27, 2021
  • 165 views
How to Create Database in MySQL
Blog

How to create table in MySQL

  • By admin
  • November 6, 2021
  • 113 views
How to create table in MySQL
Blog

MySQL commands with examples

  • By admin
  • September 11, 2021
  • 312 views
MySQL commands with examples
Blog

MySQL use database

  • By admin
  • May 28, 2021
  • 109 views
MySQL use database
Blog

System Software

  • By admin
  • May 20, 2021
  • 138 views
Blog

Introduction to software

  • By admin
  • May 13, 2021
  • 139 views
Introduction to software