HTML and CSS Reference
In-Depth Information
them as markup. Or if you prefer, you can use
htmlentities()
, which encodes all
the characters that are encoded by
htmlspecialchars()
plus any other characters
that can be represented as entities. In the preceding example, you really want to
write the script that displays the user's name like this:
<p>Hello <?= htmlspecialchars($_POST['yourname']) ?>.
Thanks for visiting.</p>
That prevents the person who submitted the data from launching a successful cross-
site scripting attack.
If you prefer, you can also use the
strip_tags()
function, which just removes all
the HTML tags from a string.
Finally, if your form is submitted using the
POST
method, you should refer to the
parameters using
$_POST
rather than
$_REQUEST
, which also helps to avoid certain
types of attacks by ignoring information appended to the URL via the query string.
When you have access to the data the user submitted, you can do whatever you like with
it. You can validate it (even if you have JavaScript validation, you should still validate
user input on the server as well), store it in a database for later use, or send it to someone
via email.
Handling Parameters with Multiple Values
Most form fields are easy to deal with; they're simple name and value pairs. If you have
a text field or radio button group, for example, you can access the value submitted using
$_REQUEST
, like this:
$radio_value = $_REQUEST['radiofield'];
$text_value = $_REQUEST['textfield'];
However, some types of fields submit multiple name and value pairs, specifically check
boxes and multiple select lists. If you have a group of five check boxes on a form, that
field can actually submit up to five separate parameters, all of which have the same name
and different values. PHP handles this by converting the user input into an array rather
than a regular variable. Unfortunately, you have to give PHP a hint to let it know that a
field should be handled this way. (PHP has no idea what your form looks like; all it
knows about is the data that has been submitted.)
21
If you include
[]
at the end of the name of a form field, PHP knows that it should expect
multiple values for that field and converts the parameters into an array. This occurs even
if only one value is submitted for that field. Here's an example:
