1 / 32

ECA 236

Learn how to handle forms in PHP for secure server-side scripting. Access form data, validate user inputs, and ensure data security.

mcostello
Download Presentation

ECA 236

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ECA 236 Open Source Server Side Scripting PHP Form Handling Open Source Server Side Scripting

  2. HTML Forms • field names • no spaces • will match variable names (letters, numbers, underscores) • method • GET • POST • action • the script to which data is sent Open Source Server Side Scripting

  3. accessing variables <form method=”get” action=”test.php”> First Name: <input type=”text” name=”first_name”><br /> Last Name: <input type=”text” name=”last_name”> <br /> <input type=”submit” name=”submit”></form> Three ways to access form data: 1. $first_name and $last_name • variable names are the same as field names • register_globals must be set to ON in php.ini • least secure of the three ways Open Source Server Side Scripting

  4. accessing variables cont … <form method=”get” action=”test.php”> First Name: <input type=”text” name=”first_name”><br /> Last Name: <input type=”text” name=”last_name”> <br /> <input type=”submit” name=”submit”></form> 2. superglobals: $_GET $_POST $_REQUEST • global associative arrays • $first_name = $_GET[‘first_name’]; • only accepted variables are ones submitted through form • introduced in PHP version 4 Open Source Server Side Scripting

  5. accessing variables cont … <form method=”get” action=”test.php”> First Name: <input type=”text” name=”first_name”><br /> Last Name: <input type=”text” name=”last_name”> <br /> <input type=”submit” name=”submit”></form> 3. $HTTP_GET_VARS or $HTTP_POST_VARS • associative arrays • $first_name = $HTTP_GET_VARS[‘first_name’]; • PHP version 3 and earlier – still works in version 4 • may be unsupported by future versions Open Source Server Side Scripting

  6. self-submission • set the action of the form to itselffrom a document named test.php, if we wanted to send data to a separate form handler, the form would read:<form method=”get” action=”newScript.php”>to reference itself, set action to test.php:<form method=”get” action=”test.php”> Open Source Server Side Scripting

  7. self-submission cont … • isset( )when passed a variable, isset( ) will return TRUE if that variable is set to some value, FALSE if the variable is NULL before form is submitted, all variables have a value of NULL once submitted, variable will have one of the following values: • information entered by user • empty string • TRUE Open Source Server Side Scripting

  8. self-submission cont … <?phpif( isset( $_GET[‘submit’] ) ){ $first_name = $_GET[‘first_name’]; $last_name = $_GET[‘last_name’]; echo “Your name is $first_name $last_name”;}else{ ?> <form method=”get” action=”test.php”> First Name: <input type=”text” name=”first_name”><br /> Last Name: <input type=”text” name=”last_name”> <br /> <input type=”submit” name=”submit” value=‘submit’> </form><?php } ?> Open Source Server Side Scripting

  9. self-submission cont … A more efficient way of setting the action of a form to send data to itself is to use the $PHP_SELF variable accessed through the superglobal $_SERVER $PHP_SELF will always contain the current script’s name as the value <form method=”get” action=” <?php echo $_SERVER[‘PHP_SELF’]; ?> ”> Notice that the reference to the variable must be placed between the <?php ?> tagset Open Source Server Side Scripting

  10. validating form data • isset( ) • returns TRUE if variable holds a value • drawback: returns TRUE if it holds an empty string if( isset( $first_name ) ) { echo “Hello, $first_name.”;}else{ echo “You forgot to enter your first name.”;} Open Source Server Side Scripting

  11. validating form data • empty( ) • returns TRUE if argument is • “ ” (an empty string) • 0 (zero as an integer) • “0” (zero as a string) • NULL • FALSE • array( ) (an empty array) • returns FALSE if it holds a non-empty, non-zero value if( empty( $first_name ) ) { echo “Please enter your first name”; } Open Source Server Side Scripting

  12. validating form data cont … • strlen( ) • returns the length of a string • can be used to test for empty strings if( strlen( $first_name ) > 0 ){ echo “Hello, $first_name.”;}else{ echo “You forgot to enter your first name.”;} Open Source Server Side Scripting

  13. validating form data cont … • trim( ) • removes white space from both ends of a variable • can be used to eliminate empty strings, and remove extraneous white space at beginning and end of variables $first_name = trim( $_GET[‘first_name’] ); Open Source Server Side Scripting

  14. validating form data cont … <form method=”post” action="<?php echo $_SERVER['PHP_SELF'];?>"> Male:<input type=”radio” name=”gender” value=”male” /> Female:<input type=”radio” name=”gender” value=”female” /> <input type = “submit” name=“submit” /> </form><?php if( isset( $_POST[‘gender’] ) ){ if( $_POST[‘gender’] == “male” || $_POST[‘gender’] == “female” ){ echo “You claim to be a $_POST[‘gender’]; } else { echo “Please enter a correct value.”; } } else { echo “Please enter a correct value.”; } ?> radio buttons Open Source Server Side Scripting

  15. validating form data cont … • Purpose of validation • make sure the script has all the information it needs to do what it was designed to do • ensure the data is of the right type • added level of security by reducing user error and user maliciousness Open Source Server Side Scripting

  16. sending values manually Two other ways to pass variables and values • HTML form hidden input type <input type=”hidden” name=”author” value=”Michael” /> <input type=”hidden” name=”subject” value=”PHP” /> <input type=”hidden” name=”toAddress” value=”mbarath@neo.rr.com” /> Open Source Server Side Scripting

  17. sending values manually cont … • Append name=value pair to anchor tagsto access these variables use $_GET or $_REQUEST superglobal <a href=”test.php?author=Michael”>Click Here for author</a> <a href=”test.php?subject=PHP”>Click Here for Subject</a> $author = $_REQUEST[‘author’]; Open Source Server Side Scripting

  18. error handling • ERRORS: fatal run-time errors, such as calling a function which does not exist – cause immediate termination • WARNINGS: non-fatal run-time errors, such as trying to include( ) a file that does not exist • NOTICES: less serious warnings which may result from a bug in your code, but may actually be intentional ( such as using an uninitialized variable) Open Source Server Side Scripting

  19. error handling cont … Open Source Server Side Scripting

  20. error handling cont … • default error handling is set to E_ALL & ~E_NOTICEor E_ALL // beginning test echo “<p>. . . begin test . . .</p>”;  // include a non-existent variable echo “<p>The variable $no_such_var is not initialized.</p>”;  // end test echo “<p>. . . end test . . . </p>“; . . . begin test . . .Notice: undefined variable: no_such_var in test_error.php The variable is not initialized. . . . end test . . . Open Source Server Side Scripting

  21. error handling cont … // beginning test echo “<p>. . . begin test . . .</p>”;  // include a non-existent file include( ‘no_such_file.inc’ );  // print more test echo “<p>. . . end test . . . </p>“; • example of a WARNING . . . begin test . . .Warning: main(no_such_file.inc): failed to open stream: No such file or directory in testError.php on line 26 . . . end test . . . Open Source Server Side Scripting

  22. error handling cont … // beginning test echo “<p>. . . begin test . . .</p>”;  // call to a non-existent function no_such_function( );  // print more test echo “<p>. . . end test . . . </p>“; • example of fatal error . . . begin test . . .Fatal error: Call to undefined function: no_such_function() in testError.php on line 29 Open Source Server Side Scripting

  23. error handling cont … • in a live, production site • turn off error reporting • create custom error messages • during site development • use highest level of error reporting • display notices, warnings, and errors • to change level of error reporting • reconfigure php.ini • PHP functions Open Source Server Side Scripting

  24. error handling in php.ini • change level of error reporting in php.ini file • turn error display functionality on or off • error_reporting = E_ALL; or other appropriate value error_display = Off Open Source Server Side Scripting

  25. error handling functions • error_reporting( ) one argument: level of error reporting // turn off all error reporting error_reporting( 0 ); // beginning text echo “<p>. . . begin text . . .</p>”;  // call to a non-existent function no_such_function( );  // print more text echo “<p>. . . end text . . . </p>“; . . . begin text . . . Open Source Server Side Scripting

  26. error handling functions • error_reporting( ) // turn on all error reporting error_reporting( E_ALL ); // beginning text echo “<p>. . . begin text . . .</p>”;  // call to an undeclared variable echo $undeclared_var;  // print more text echo “<p>. . . end text . . . </p>“; . . . begin text . . .Notice: Undefined variable: undeclared_var in testError.php on line 77 . . . end text . . . Open Source Server Side Scripting

  27. error handling functions • temporarily shut off error handling with @ operator // beginning text echo “<p>. . . begin text . . .</p>”;  // call to a non-existent function @no_such_function( );  // print more text echo “<p>. . . end text . . . </p>“; . . . begin text . . . Open Source Server Side Scripting

  28. error handling functions • set_error_handler( ) one argument: name of custom function • custom error handler function takes at least 2, up to 5 arguments • error type • error message optional: • file name • line number • current PHP variables Open Source Server Side Scripting

  29. error handling functions • set_error_handler( ) // define custom error handler set_error_handler( ‘customError’ ); // create custom function to handle errors function customError( $type, $msg ) { echo "<h1>Error!</h1>"; echo "<p>Error code: $type <br />"; echo "Error msg: $msg </p>"; echo "<p>Please contact your system administrator.</p>"; } Error!Error code: 2 Error msg: main(no_such_file.inc): failed to open stream: No such file or directory Please contact your system administrator. Open Source Server Side Scripting

  30. error handling functions • set_error_handler( ) setting all 5 arguments // define custom error handler set_error_handler( ‘customError’ ); // create custom function to handle errors function customError( $type, $msg, $file, $line, $vars ) { // statements . . . } Open Source Server Side Scripting

  31. error handling functions • set_error_handler( ) further customization function customError( $type, $msg) { switch( $type ){ case E_NOTICE: // do nothing break; case E_WARNING: echo “<p>A non-fatal error occurred: $msg </p>”; break; case E_ERROR: die( “<p>A fatal error occurred: $msg </p>” ); break; } Open Source Server Side Scripting

  32. error handling functions • set_error_handler( ) • the default error handlers for E_ERROR and E_PARSE cannot be overwritten by a user-defined function. Open Source Server Side Scripting

More Related