PHP Forms
PHP forms are essential for collecting user input and processing it on the server. This tutorial covers form creation, validation, and security best practices.
Basic Form Structure
A basic HTML form with PHP processing. The form submits to itself using the POST method.
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Process form data
$name = htmlspecialchars($_POST['name']);
$email = htmlspecialchars($_POST['email']);
echo "<p>Thank you, $name. We received your email ($email).</p>";
}
?>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
<div class="form-group">
<label for="name">Name:</label>
<input type="text" id="name" name="name" required>
</div>
<div class="form-group">
<label for="email">Email:</label>
<input type="email" id="email" name="email" required>
</div>
<div class="form-actions">
<input type="submit" value="Submit">
<input type="reset" value="Reset">
</div>
</form>
Form Validation
Proper validation is crucial for security and data integrity. Here's a complete validation example:
<?php
// Define variables and initialize with empty values
$name = $email = $password = "";
$nameErr = $emailErr = $passwordErr = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Validate name
if (empty($_POST["name"])) {
$nameErr = "Name is required";
} else {
$name = test_input($_POST["name"]);
// Check if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z ]*$/", $name)) {
$nameErr = "Only letters and white space allowed";
}
}
// Validate email
if (empty($_POST["email"])) {
$emailErr = "Email is required";
} else {
$email = test_input($_POST["email"]);
// Check if email is valid
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$emailErr = "Invalid email format";
}
}
// Validate password
if (empty($_POST["password"])) {
$passwordErr = "Password is required";
} else {
$password = test_input($_POST["password"]);
if (strlen($password) < 8) {
$passwordErr = "Password must be at least 8 characters";
}
}
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
<div class="form-group">
<label for="name">Name:</label>
<input type="text" id="name" name="name" value="<?php echo $name; ?>">
<span class="error"><?php echo $nameErr; ?></span>
</div>
<div class="form-group">
<label for="email">Email:</label>
<input type="email" id="email" name="email" value="<?php echo $email; ?>">
<span class="error"><?php echo $emailErr; ?></span>
</div>
<div class="form-group">
<label for="password">Password:</label>
<input type="password" id="password" name="password">
<span class="error"><?php echo $passwordErr; ?></span>
</div>
<div class="form-actions">
<input type="submit" value="Submit">
</div>
</form>
File Uploads
Handling file uploads requires special attention to security:
<?php
$uploadOk = 1;
$message = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
$check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
if($check !== false) {
$message = "File is an image - " . $check["mime"] . ".";
$uploadOk = 1;
} else {
$message = "File is not an image.";
$uploadOk = 0;
}
}
// Check file size (500KB max)
if ($_FILES["fileToUpload"]["size"] > 500000) {
$message = "Sorry, your file is too large.";
$uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
$message = "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
$uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
$message = "Sorry, your file was not uploaded.";
} else {
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
$message = "The file ". htmlspecialchars(basename($_FILES["fileToUpload"]["name"])). " has been uploaded.";
} else {
$message = "Sorry, there was an error uploading your file.";
}
}
}
?>
<form method="post" enctype="multipart/form-data">
<div class="form-group">
<label for="fileToUpload">Select image to upload:</label>
<input type="file" name="fileToUpload" id="fileToUpload">
</div>
<div class="form-actions">
<input type="submit" value="Upload Image" name="submit">
</div>
</form>
<p><?php echo $message; ?></p>
Security Best Practices
- Always validate input on the server side (client-side validation can be bypassed)
- Use prepared statements when interacting with databases to prevent SQL injection
- Sanitize all user input before displaying it (use htmlspecialchars())
- Use HTTPS for forms that handle sensitive data
- Implement CSRF protection for forms that modify data
- Limit file uploads to specific types and sizes
CSRF Protection Example
<?php
session_start();
// Generate CSRF token if it doesn't exist
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Verify CSRF token
if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("CSRF token validation failed");
}
// Process the form data
// ...
}
?>
<form method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
<!-- Other form fields -->
<div class="form-actions">
<input type="submit" value="Submit">
</div>
</form>