Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialNino Roldan
Courses Plus Student 9,308 PointsPHP $_SERVER usage to submit the form upon itself.
i wrote a relatively simple but usable php query logging software a couple of years back and my setup was "plain vanilla" where a form, with a POST method has a separate page that processes the form like below
1) input form displays with a submit button that calls process-form.php
2) process-form.php then processes the form (e.g. enters the data onto a database) 3) process-form.php displays a message if everything is fine or not.
now, when i go through the php tutorial, they are teaching having the form submit upon itself by using $_SERVER
<?php //use the $_SERVER function to decipher if the POST method has been triggered if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = $_POST["name"];
$email = $_POST["email"];
$message = $_POST["message"];
//TODO: Send email, etc.
} ?> i can see the benefits of of this method as the code remains compact as you just have to go to 1 page only instead of going to other pages if you need to fix something. Is this the prevalent style now? just asking as i am trying to learn. thank you!
3 Answers
Christopher Hall
9,052 PointsThis is a useful method for fairly simple scripts such as a contact form, since it lets you combine everything into one file. It does make the file more complex however since you're using one big if ... else
statement to either display the form or submitted contents of the form. It's not recommended for any larger style web application where you're following the Model View Controller convention because the object of MVC is to separate out your data storage/retrieval from your processing and presentation.
Also a note: Just using $_POST
variables directly and inserting into a database or sending via email is a very insecure practice. You have no assurance that they're actually being submitted from your form, just that someone is POST
ing to your form with those variable names. A naive implementation of a webform that sends an email and lets you specify the destination email address, subject and body can easily be used to spread spam messages. If you're inserting into a database, you could be vulnerable to a SQL injection attack that could destroy data or give an unauthorized person access to the data.
Shawn Gregory
Courses Plus Student 40,672 PointsNino,
You can use the $_SERVER['REQUEST_METHOD'] but you can also just use $_POST as if the data was sent via the post method, the $_POST array would be created. You can use it like: if($_POST) for simple checking or if you want to make sure that there is at least something in there you can use: if(isset($_POST)) as well.
As far as storage goes, I agree with Chris, you shouldn't display or store raw data that is given by the user. The rule of thumb usually is never trust anyone on the internet. You can use the following: $var = trim(htmlspecialchars($_POST['var'])) to sanitize data provided by the user. Also, make sure you use either MySQLi or PDO when submitting data to databases, it's just more secure. Hope this helps somewhat.
Cheers!
Nino Roldan
Courses Plus Student 9,308 PointsThanks Chris and Shawn, this was exactly the information I was looking for.
Thanks for the tip on the data sanitization, i did not incorporate those when i made my simple php software a couple of years back as it only lived within our intranet but will incorporate them from now to aid in my learning.
Cheers!