BASIC FORM PROCESSING with PHP


The ability to collect data and send the data to an email address is essential to any web site that offers products or services for sale. Typically web sites use CGI scripts to do this but not all Internet providers offer scripts or even permit their use. You can use a remote cgi script (e.g. www.response-o-matic.com) although the thank you page will contain an advertisement, or you can send the data with a mailto: command i.e. action=”mailto:name@company.com”. The latter is easy but the data is attached as a separate file and the text is concatenated (name + email + text etc) requiring that you format the text and remove the + symbols. One of the best ways to process a form is to use a PHP script which is easy to implement and permits you to add a customized thank you page, send the data a specified email address and send the data to a text file for later retrieval and analysis - in other words you can collect the data in a flat-file simple database. You can also use PHP to create forms that permit your customers to upload files such as documents and images to your web site and create password protected areas.

There are two basic approaches – you can create you form in HTML then create a separate PHP script to process the form, or you can create the form and processing script all in one PHP script. We will do examples both ways.

Before attempting this tutorial you should understand how to build a form and its various components using HTML or an HTML editor like Dreamweaver.

1. Open notepad and create a simple Form – see below. Save the page as form.html in the wwwroot folder of IIs local server on your computer.




View your form.html after saving it to wwwroot folder using URL http://localhost/form.html and you should see a form like the screen shot above.

Next you will create a php script to process the form above and send the data to a specified email address. Note the email function will not work on the local server so you will have to ftp both files to a server with PHP support then test your form and check the email response.

Before you test the script on your local server you will need to modify the php.ini file (WINNT folder) or you will get undefined variable errors on your output page and you will not see the data submitted to the form in the return page. Open the php.ini file with notepad, make the changes and save the file.


1) Error_reporting=E_ALL (this says to report everything )
change to Error_reporting=E_ALL &~(E_NOTICE | E_USER_NOTICE);
&~ means and not i.e. report all errors but not notices (see text page 58)

2) register_globals=OFF; change to register_globals=ON

(If you are testing scripts on a remote server and register_globals=OFF you will need to modify how you write your scripts so they work, see later sections on how to include $variable = $_POST[‘variable’]; - you will need to do this for every form variable. At this time most servers use register_globals =ON but this will change in the future so the scripts are more secure and it will require that existing form processing scripts will have to be modified. (see text book page 60)


Create the formprocessor.php script in notepad by typing in the code below. First the script will only print the data you collect to the screen, then we will make the data go to a specified email address.

1. Open notepad and type in the code below save the page as formprocessor.php in the same location you saved your form.



Save the page, load the form.html fill it out and then click on the Send button. If you make an error you will see a message something like this:

Parse error: parse error, unexpected T_STRING in g:inetpubwwwrootformprocessor.php on line 7

If you do go back and check your spelling, make sure you added a semicolon to the end of each line and if you copied your code from a word document the quotes must be “” straight not curved in and out that occurs when you copy from word documents. Your screen should look like this.


If you do not see the values you type into the form then make sure you modified the php.ini file as directed above and retry.

To email this information to a specified address add the following code below to your formprocessor.php and retest your form and check your email account.



If you try your script on a local server you will see the following error.

Warning: mail(): SMTP server response: 550 5.7.1 Unable to relay for rberdan@scienceandart.org in g:inetpubwwwrootformprocessor.php on line 16

In order to test the form and its email function you will need to upload both files to your server and test it and then check your email for the data. That’s all there is to it – however if you want to use radio buttons, check boxes and drop down menus we will need to modify our form code a bit try the form example below.

IMPORTANT: If your customers Internet provider does not support PHP but your account does, then its no problem you can point the form script to a location on your server and it will still work fine. Just be sure you don’t delete the script if you do your customers form will stop working.

e.g.





Advanced form – some customers will want a form with radio buttons, check boxes, drop down menus, hidden input fields etc So we are now going to build a form that contains all of these elements and then create a php processor script for the form. The form will build will be a JOB APPLICATION form. We will save it as jobform.html and create a processor script called jobapplication.php.

Adding Radio Buttons

1. Open Notepad or other editor and type in the following code and save the page to your wwwroot folder as jobform.html. You could also create the form in Dreamweaver then create the phpprocessor script.





Save as jobform.html in wwwroot folder

2. Modify your formprocessor script



3. Go to URL localhostform.html, fill out the form and send it – email function will not work but you should see the output.




Note its sometimes a good idea to make one of the radio buttons selected by default to do this add the attribute checked=checked to one of the radio buttons.




Adding Checkboxes:

Checkboxes differ from radio buttons in that your visitor can select multiple values. In order to process and determine which boxes have been selected we need to modify the code from that used in HTML web pages using a cgi script. Specifically the group name will be unique for each checkbox. Add the code below in bold to your existing form and save it to wwwroot.







Modify your form processor script as follows:




Fill out the form and send it – you should see the following screen below if you selected all 3 platforms: windows, apple and unix in the checkboxes.





Selections made from Drop down menus

Many forms use drop down menus to offer a selection for example you might ask them what province they are from or the day of the week. We are going to create a drop down list that asks the user to selected starting expected salary and we will include 3 options: $20,000, $30,000 and $40,000. The code you will add to your existing form will look like this:





to your formprocessor.php script add the following line of code:



Test your form and select one of the salary options.


List Boxes allow several selections

We will add a list menu and ask the user which days of the week they would be available for an interview. They may be available for more than one day of the week so we will see how to process multiple choices using an array week[ ]. Add the following code to your form.html.
Note: Monday

Value=”Monday” is optional I include it here because that is what I would include if I was processing the form using a cgi script and that is what Dreamweaver will add. You could just add

Monday for each v alue and it will work fine.

To select multiple values you can do so by holding down the shift key then dragging your pointer over several values. Add the following script to your form.html.





To your formprocessor.php script add the following code to preview the information on the “thank you page”

print "Days Available for Interveiw: $week[0] $week[1] $week[2] $week[3] $week[4]
n";

Test your form with a single and multiple selections.


Note: we have not added any of the variable to the $body variable as yet so if you mail the form to your self the data in the radio, checkboxes, and lists would not appear – we will add this information as the last step.



Hidden Form Fields

Hidden fields contain information that can be passed to on to another page or sent to an email address and the information did not have to be entered. For instance a company may have several forms: job application, complaint form, suggestion form etc. You could include a text message which form that identifies it. You can also pass information from one form to another – we will be doing this later.



to view the data being sent on the thank you page (you would not normally display this information) you would add the following code to your formprocessor.php script



You could of course add several hidden values if you wanted to

In regard to your form you would probably not echo all the entered information to the “Thank you “ page, more importantly however you would want to email all of the entered data to a specified email address: To this we need to add the $variable for each form element into the $body variable within the mail() command.



save your file formprocessor.php , upload your jobform.html and formprocessor.php to your server, fill out the form and check the resposne in your email to see if everything works as expected.

If all is working you should see the following message in your email:

First Name: Robert
Last Name: Berdan
Email Address: rberdan@sciencenadart.org
Address: 6255-72nd St. N.W.
Calgary, AB
T3B 3V9

Job type programmer
windows apple unix
Expected starting salary $40,000
Days available for interview Monday Tuesday Wednesday
HIdden data: Job application form for ABC company
Following the exercise above you should be able to write a PHP script to process almost any type of form that comes your way.





In this next example we will create a simple form that is dynamically created with PHP – in other words you will only create one document that will create the html for the form and process it. Open notepad and type in the code below and save the file into your wwwroot call it oneform.php.








If (isset($submit)) statement requires that you include name=”submit” in the submit button html code and this line tests to see if the submit button has been pressed before processing the php script – if true it processes it, if false i.e. button has not been submitted then it does not send or display the text.

Note in this form I have displayed the entered data to the screen, however you probably would not do this instead you would just send a custom thank you. This is an example of a dynamically generated web page.

One more thing – if you are testing this locally and notice that the submitted data does not go away, simply load another php page e.g. phpinfo.php then load the page again (the browser cache can be stubborn sometimes).




PHP Form processing & Register Globals Appendice by R. Berdan

1) Why doesn’t the mail() function work on the local server?

Mail() requires that you be running an email server on your machine, or to set the php.ini file to point to your ISP’s mail server (this may not be allowed as it could be viewed as spamming). Solution, upload your forms to a server and test them from there.

2) Why do I see undefined variables errors when I test my forms on the local server?.

You need to modify the php.ini file to turn the variables errors off by:

Change: E_ALL to E_ALL &~(E_NOTICE | E_USER_NOTICE);

When I submit my form locally I can’t see the form $variables to my screen after using: print “$formvariable”; in my script.

To see the variables on the screen e.g. in a Thank you page you must
set register_globals=On in the php.ini file.

Having register_globals=On is a security risk – see note below from php.ini

; You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
to possible security problems, if the code is not very well thought of.
register_globals = On

In order to leave register_globals=Off - you have to write your form scripts such that you check that each variable is set. This would prevent the warning messages you get when testing your forms on a local server and it would make your forms more secure.

My Telus server and Blacksun servers both have set register_globals=On as default Using PHP 4.3.1 and 4.3.2 respectively.

register_globals On On

You can see what your server settings are by creating a info file and executing it on your server:



Search the PHP page look for register_globals in the tables to see what you server setting is .

How do I write a php script so it works with register_globals=Off?

Suppose you had a simple form like that below: myform.html





You could write a script for the form where you test if each variable has been set:



If you add more variables or input boxes you do this:








Here is an easier way to write your php form scripts so they function with
register_globals =OFF or ON



testform.php page – the data will appear below the form box.

What is register Globals?
register_globals is a PHP configuration variable that can be turned 'on' or 'off' from your PHP configuration file. When register_globals is turned 'on' – form, server, and environment variables are converted to global variables by the PHP engine. In fact, you should be very familiar with this "feature", if you have an HTML form with an input element such as:


When you submit the form, you can use, validate, or do whatever you want with a variable $username that will have the data the user entered in the form's text field. This is because the form GET/POST variable was converted to a PHP variable in the global namespace: a global variable.
You may think that this is a nice feature and that you don't want to turn it 'off', but there're potential security problems when register_globals is turned 'on'. We can summarize the problem as: "users can alias PHP script variables changing the normal execution of the script".
Let's suppose we validate the "username" in our PHP script in this way:



While the code may look in offensive, it's wrong, the user can pass not only "username" but "admin" in the form and then gain administrator privileges without knowing the username or password or whatever he would have need to know. Of course, you could have written the above code different and have no problem at all but the potential problem exists and it may be dangerous. 90% of the security problems found in PHP applications are a derivative from aliasing script variables when register_globals is turned 'on'.
If you do like register globals turned 'on', or you do need this setting 'on' because you have a lot of code written relying on this setting, you have to check your code and program carefully to avoid security problems. You can use the following checklist:
Programming safe with register_globals 'on':
• Initialize all of your script variables at the beginning of the script. (this will overwrite a user variable that was intended to alias one of your variables)
• Never rely on user input, validate all the data entered from the user
• Check user data for length before using it (avoiding potential buffer overflow exploits)
• Never store important information on cookies (the user can change it, for example userIds), use sessions that are stored on the server instead.
• Be extremely careful with user uploads, use the is_uploaded_file() function to check if the file was uploaded to the server or not.
• Always update your PHP version to the latest stable version to gain the security of the latest patches.
• If register_globals is 'off' you need a way to access user entered data, from PHP 4.x you have new special arrays:

$_GET Contains form variables sent through GET
$_POST Contains form variables sent through POST
$_COOKIE Contains HTTP cookie variables
$_SERVER Contains server variables (e.g., REMOTE_ADDR)
$_ENV Contains the environment variables
$_REQUEST A merge of the GET variables, POST variables and Cookie variables.

In other words, all the information that is coming from the user, and that from a security point of view, cannot be trusted. $_SESSION, contains HTTP variables registered by the session module. So if we have a form with a $username variable and we submit the form using post you can use:



The use of $_POST is not an advantage but a way to program when register_globals is turned 'off', in some installations you will find this setting 'on' and on some others it will be 'off' so your code will be more portable if you program assuming that register_globals is 'off'.
How to check for register_globals
Use the phpinfo() function and check the PHP core section; you can find the status of the register_globals there.
The code in this book was written assuming that register_globals is 'on', you may find some pieces of code that will work with register_globals 'off' but some may not. If you want to port the code to work with register_globals 'off', you can attack scripts that process forms and change the use of $foo variables to $_GET["foo"] or $_POST["foo"] accordingly.
A normal way to do it is to use :
foo=$_POST["foo"]
at the beginning of the script converting all the user entered variables to global variables in your script, with this modification you won't need to change the rest of the script.

References
http://www.zend.com/zend/art/art-sweat4.php
Reference: L. Ullman 2nd Edition Chapter 3 HTML Forms and PHP page 43-66