HTML and CSS Reference
In-Depth Information
function alsoAdd($a = 0, $b = 0) {
return add($a, $b);
}
You learned how to create forms back in Lesson 11, “Designing Forms,” and although I
explained how to design a form, I didn't give you a whole lot of information about what
to do with form data once it's submitted. Now I explain how PHP makes data that has
been submitted available to your PHP scripts.
When a user submits a form, PHP automatically decodes the variables and copies the
values into some built-in variables. Built-in variables are like built-in functions—you can
always count on their being defined when you run a script. The three associated with
form data are
$_GET
,
$_POST
, and
$_REQUEST
. These variables are all associative arrays,
and the names assigned to the form fields on your form are the keys to the arrays.
$_GET
contains all the parameters submitted using the
GET
method (in other words, in the
query string portion of the URL). The
$_POST
method contains all the parameters submit-
ted via
POST
in the response body.
$_REQUEST
contains all the form parameters regardless
of how they were submitted. Unless you have a specific reason to differentiate between
GET
and
POST
, you can use
$_REQUEST
. Let's look at a simple example of a form:
<form action=”post.php” method=”post”>
Enter your name:
<input type=”text” name=”yourname” /><br />
<input type=”submit” />
</form>
When the user submits the form, the value of the
yourname
field will be available in
$_POST
and
$_REQUEST
. You could return it to the user like this:
<p>
Hello
<?= $_REQUEST['yourname'] ?>
. Thanks for visiting.
</p>
Preventing Cross-Site Scripting
You have to be careful when you display data entered by a user on a web page
because malicious users can include HTML tags and JavaScript in their input in an
attempt to trick other users who might view that information into doing something
they might not want to do, such as entering their password to your site and submit-
ting it to another site. This is known as a
cross-site scripting attack
.
To prevent malicious users from doing that sort of thing, PHP includes the
htmlspe-
cialchars()
function, which will automatically encodes any special characters in a
string so that they are displayed on a page rather than letting the browser treat
