This tutorial will cover how PHP handles form data posted via the POST method.
Introduction to the form
POST data is submitted by a form and “posted” to the web server as form data. POST data is encoded the same way as GET data, but isn’t typically visible to the user in standard browsers.
Most forms use the post method because it “hides” the form data away from the user and doesn’t clutter up the URL in the address bar. Note thatĀ GET and POST methods are equally (in)secure.
As easily as a user can monkey with GET data in a URL, the same thing can be done with POST data. You should always assume that the user can submit whatever form and form data that they want to, and process the data accordingly. Don’t trust user input, whether it’s from GET or from POST!
Post data is accessed with the $_POST array in PHP.
<?php
echo("First name: " . $_POST['firstname'] . "<br />\\n");
echo("Last name: " . $_POST['lastname'] . "<br />\\n");
?>
<form action="myform5.php" method="post">
<p>First name: <input type="text" name="firstname" /></p>
<p>Last name: <input type="text" name="firstname" /></p>
<input type="submit" name="submit" value="Submit" />
</form>
Using “isset”
You can use the “isset” function on any variable to determine if it has been set or not. You can use this function on the $_POST array to determine if the variable was posted or not. This is often applied to the submit button value, but can be applied to any variable.
For example:
<?php
if(isset($_POST['submit'])
{
echo("First name: " . $_POST['firstname'] . "<br />\\n");
echo("Last name: " . $_POST['lastname'] . "<br />\\n");
}
?>
<form action="myform5.php" method="post">
<p>First name: <input type="text" name="firstname" /></p>
<p>Last name: <input type="text" name="firstname" /></p>
<input type="submit" name="submit" value="Submit" />
</form>
The above code will only display the submitted values if the submit button was clicked.
Can I use both GET and POST in the same page?
GET and POST occupy different spaces in the server’s memory, so both can be accessed on the same page if you want. One use might be to display different messages on a form depending on what’s in the query string.
http://mysite/myform5.php?lang=english
<?php
if(isset($_POST['submit']) {
if($_GET['lang'] == "english") {
echo("First name: " . $_POST['firstname'] . "<br />\\n");
echo("Last name: " . $_POST['lastname'] . "<br />\\n");
} else if($_GET['lang'] == "spanish") {
echo("Nombre: " . $_POST['firstname'] . "<br />\\n");
echo("Apellido: " . $_POST['lastname'] . "<br />\\n");
}
?>
<form method="post">
<p>First name: <input type="text" name="firstname" /></p>
<p>Last name: <input type="text" name="firstname" /></p>
<input type="submit" name="submit" value="Submit" />
</form>
Instead of using GET and POST arrays, you can also use the $_REQUEST
array, which will contain the combined contents of the data. If GET and POST variables have the same name, POST will take priority. It’s recommended not to do this unless you really have to, because it can be confusing, and it’s best to be clear about where an input is coming from.
One more thing to notice: the “action” on the form is now missing. Technically, this is not valid HTML. However, by not putting in an action, browsers will assume that the form is submitting to itself. This is important because it will also preserve the querystring when the form is submitted (the ?lang=english part). You can use server variables like $_SERVER['PHP_SELF']
and $_SERVER['QUERY_STRING']
to build an action value.
For more information, seeĀ Using PHP_SELF in the action field of a form
Register globals off?
If you are using a version of PHP earlier than 4.2.0, you should strongly consider setting register_globals to “off” in your .htaccess file (if you are using Apache server) for the exact same reasons as were mentioned in the previous tutorial on GET. If you have PHP 4.2.0 or later, don’t worry about it.
More on POST
POST values are unlimited in length, and thus are very well suited for forms, especially forms with a lot of fields.