if - CENG449

Download Report

Transcript if - CENG449

PHP Form Handling
The PHP superglobals $_GET and $_POST are used to collect
form-data.
EX:
<html>
<body>
<form action="welcome.php" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
</body>
</html>
CENG 449 Lecture 11
Slide 1 of 40
welcome.php
<html>
<body>
<?php
$name=$_POST["name"];
$email=$_POST["email"];
echo "Your name is ".$name."<br/>";
echo "Your email is ".$email."<br/>";
?>
</body>
</html>
CENG 449 Lecture 11
Slide 2 of 40
welcome.php
<html>
<body>
<?php
if(isset($_POST["name"]) && isset($_POST["email"])
{
$name=$_POST["name"];
$email=$_POST["email"];
echo "Your name is ".$name."<br/>";
echo "Your email is ".$email."<br/>";
}
?>
</body>
</html>
CENG 449 Lecture 11
Slide 3 of 40
<html>
<body>
<form action="welcome.php" method= "get">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
</body>
</html>
CENG 449 Lecture 11
Slide 4 of 40
<html>
<body>
<?php
$name=$_GET["name"];
$email=$_GET["email"];
echo "Your name is ".$name."<br/>";
echo "Your email is ".$email."<br/>";
?>
</body>
</html>
CENG 449 Lecture 11
Slide 5 of 40
GET vs. POST
Both GET and POST create an array (e.g. array( key => value, key2
=> value2, key3 => value3, ...)). This array holds key/value pairs,
where keys are the names of the form controls and values are the
input data from the user.
Both GET and POST are treated as $_GET and $_POST. These are
superglobals, which means that they are always accessible,
regardless of scope - and you can access them from any function,
class or file without having to do anything special.
$_GET is an array of variables passed to the current script via the
URL parameters.
$_POST is an array of variables passed to the current script via the
HTTP POST method.
CENG 449 Lecture 11
Slide 6 of 40
When to use GET?
Information sent from a form with the GET method is visible
to everyone (all variable names and values are displayed in
the URL). GET also has limits on the amount of information to
send. The limitation is about 2000 characters. However,
because the variables are displayed in the URL, it is possible
to bookmark the page. This can be useful in some cases.
GET may be used for sending non-sensitive data.
Note: GET should NEVER be used for sending passwords or
other sensitive information!
CENG 449 Lecture 11
Slide 7 of 40
When to use POST?
Information sent from a form with the POST method is
invisible to others (all names/values are embedded within
the body of the HTTP request) and has no limits on the
amount of information to send.
Moreover POST supports advanced functionality such as
support for multi-part binary input while uploading files to
server.
However, because the variables are not displayed in the URL,
it is not possible to bookmark the page.
Note Developers prefer POST for sending form data.
CENG 449 Lecture 11
Slide 8 of 40
What is the $_SERVER["PHP_SELF"] variable?
The $_SERVER["PHP_SELF"] is a super global variable
that returns the filename of the currently executing
script.
So, the $_SERVER["PHP_SELF"] sends the submitted
form data to the page itself, instead of jumping to a
different page. This way, the user will get error
messages on the same page as the form.
CENG 449 Lecture 11
Slide 9 of 40
What is the htmlspecialchars() function?
The htmlspecialchars() function converts special characters
to HTML entities. This means that it will replace HTML
characters like < and > with &lt; and &gt;. This prevents
attackers from exploiting the code by injecting HTML or
Javascript code (Cross-site Scripting attacks) in forms.
See:
http://www.w3schools.com/php/php_form_validation.asp
for an example
CENG 449 Lecture 11
Slide 10 of 40
<html>
<body>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<p>First name: <input type="text" name="firstname" /></p>
<p>Last name: <input type="text" name="lastname" /></p>
<input type="submit" name="submit" value="Submit" />
</form>
</html>
<?php
if(isset($_POST['firstname']) && isset($_POST['lastname']))
{
echo("First name: " . $_POST['firstname'] . "<br />\n");
echo("Last name: " . $_POST['lastname'] . "<br />\n");
}
?>
CENG 449 Lecture 11
Slide 11 of 40
CENG 449 Lecture 11
Slide 12 of 40
<?php
if(isset($_POST['firstname']) && isset($_POST['lastname']))
{
echo("First name: " . $_POST['firstname'] . "<br />\n");
echo("Last name: " . $_POST['lastname'] . "<br />\n");
}
?>
<html>
<body>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<p>First name: <input type="text" name="firstname" /></p>
<p>Last name: <input type="text" name="lastname" /></p>
<input type="submit" name="submit" value="Submit" />
</form>
</html>
CENG 449 Lecture 11
Slide 13 of 40
Secure input data
To prevent hackers entering your system, use the following approach while inputting the data
from user
<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = test_input($_POST["name"]);
$email = test_input($_POST["email"]);
$website = test_input($_POST["website"]);
$comment = test_input($_POST["comment"]);
$gender = test_input($_POST["gender"]);
}
function test_input($data) {
$data = trim($data); // avoids the blank spaces at the beginning and at the end
$data = stripslashes($data); // stripes slashes
$data = htmlspecialchars($data); // convers special characters such as &lt
return $data;
}
?>
Slide 14 of 40
CENG 449 Lecture 11
Select Forms:
<html>
<body>
<h4>Art Supply Order Form</h4>
<form action="process.php" method="post">
<select name="item">
<option>Paint</option>
<option>Brushes</option>
<option>Erasers</option>
</select>
Quantity: <input name="quantity" type="text" />
<input type="submit" />
</form>
</body>
</html>
CENG 449 Lecture 11
Slide 15 of 40
process.php
<html>
<body>
<?php
$quantity = $_POST['quantity'];
$item = $_POST['item'];
echo "You ordered ". $quantity . " " . $item . ".<br />";
echo "Thank you for ordering!";
?>
</body>
</html>
CENG 449 Lecture 11
Slide 16 of 40
CENG 449 Lecture 11
Slide 17 of 40
<html>
<body>
<h3>PHP HTML Form radio button Example</h3>
<form name="infoForm" method="POST" action=“example.php">
Enter Your Full Name :
<input name="FullName" type="text" placeholder="Fullname"><br/><br/>
You are :
<input name="YourGender" type="radio" value="male" > Male
<input name="YourGender" type="radio" value="female" > Female
<br/>
<br/>
<input name="BtnSubmit" type="submit" value="Submit">
</form>
</body>
</html>
CENG 449 Lecture 11
Slide 18 of 40
example.php
<html>
<body>
<?php
if(isset($_POST['BtnSubmit']))
{
echo "<h3>Your form data as bellow</h3>";
echo "</br>Your Name: {$_POST['FullName']}";
echo "</br>Your are: {$_POST['YourGender']}";
echo "<hr>";
}
?>
</body>
</html>
CENG 449 Lecture 11
Slide 19 of 40
CENG 449 Lecture 11
Slide 20 of 40
Checkbox example:
<html>
<body>
<h3>PHP HTML Form checkbox Example</h3>
<form action="process.php" method="post">
<input type="checkbox" name="gender" value="Male">Male</input>
<input type="checkbox" name="gender" value="Female">Female</input>
<input type="submit" name="submit" value="Submit"/>
</form>
</body>
</html>
CENG 449 Lecture 11
Slide 21 of 40
process.php
<html>
<body>
<?php
if (isset($_POST['gender']))
{
echo "Your gender is ";
echo $_POST['gender']; // Displays value of checked checkbox.
}
?>
</body>
</html>
CENG 449 Lecture 11
Slide 22 of 40
CENG 449 Lecture 11
Slide 23 of 40
<html>
<body>
<h3>PHP HTML Form button Example</h3>
<form name="infoForm" method="POST" action="process.php">
Enter Your Name :
<input name="FullName" type="text" placeholder="Name"><br/><br/>
Enter Your SurName :
<input name="SurName" type="text" placeholder="Surname"><br/><br/>
<input type="submit" name="save" value="Save">
<input type="submit" name="clear" value="Clear">
<input type="submit" name="update" value="Update">
</form>
</body>
</html>
CENG 449 Lecture 11
Slide 24 of 40
process.php
<html>
<body>
<?php
if (isset($_POST['save']))
{
echo "Save button is pressed! <br /> ";
}
if (isset($_POST['clear']))
{
echo "Clear button is pressed! <br /> ";
}
if (isset($_POST['update']))
{
echo "Update button is pressed! <br /> ";
}
?>
</body>
</html>
CENG 449 Lecture 11
Slide 25 of 40
CENG 449 Lecture 11
Slide 26 of 40
Mulltiple Selection CheckBox:
<!DOCTYPE html>
<html>
<body>
<p> Please select your book types: </p>
<form name="form1" action="process.php" method="POST">
<input type="checkbox" name="book[]" value="Drama"> Drama <br/>
<input type="checkbox" name="book[]" value="Action and Adventure"> Action and Adventure <br/>
<input type="checkbox" name="book[]" value="Romance"> Romance <br/>
<input type="checkbox" name="book[]" value="Mystery"> Mystery <br/>
<input type="checkbox" name="book[]" value="Horror"> Horror <br/>
<input type="checkbox" name="book[]" value="Guide"> Guide <br/>
<input type="checkbox" name="book[]" value="Science"> Science <br/>
<input type="checkbox" name="book[]" value="History"> History <br/>
<input type="submit" value="SUBMIT">
</form>
</body>
</html>
CENG 449 Lecture 11
Slide 27 of 40
<?php
$bookArray=$_POST['book'];
echo "Your selected books are <br/>";
foreach ($bookArray as $aBook)
{
echo "$aBook <br>";
}
?>
CENG 449 Lecture 11
Slide 28 of 40
CENG 449 Lecture 11
Slide 29 of 40
PHP and MySQL
MySQL works very well in combination of various
programming languages like PERL, C, C++, JAVA and PHP. Out
of these languages, PHP is the most popular one because of
its web application development capabilities.
PHP provides various functions to access MySQL database
and to manipulate data records inside MySQL database. You
would require to call PHP functions in the same way you call
any other PHP function.
The PHP functions for use with MySQL have the following
general format:
mysql_function(value,value,...);
CENG 449 Lecture 11
Slide 30 of 40
Following example shows a generic syntax of PHP to call any MySQL
function.
<html>
<head>
<title>PHP with MySQL</title>
</head>
<body>
<?php
$retval = mysql_function(value, [value,...]);
if( !$retval )
{
die ( "Error: a related error message" );
}
// Otherwise MySQL or PHP Statements
?>
</body>
</html>
CENG 449 Lecture 11
Slide 31 of 40
MySQL Connection using PHP Script:
connection mysql_connect(server,user,passwd,new_link,client_flag);
<html>
<head>
<title>Connecting MySQL Server</title>
</head>
<body>
<?php
$dbhost = 'localhost:3036';
$dbuser = 'guest';
$dbpass = 'guest123';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($conn);
?>
</body>
</html>
CENG 449 Lecture 11
Slide 32 of 40
<html>
<body>
Adding data to MySQL Database
<h3>PHP HTML Form radio button Example</h3>
<form name="infoForm" method="POST" action= " process.php">
Enter Your Full Name :
<input name="FullName" type="text" placeholder="Fullname"><br/><br/>
Enter Your Student Number :
<input name="stNumber" type="text" placeholder="Student
Number"><br/><br/>
You are :
<input name="YourGender" type="radio" value="male" > Male
<input name="YourGender" type="radio" value="female" > Female
<br/>
<input name="FullName" type="text" placeholder="Fullname"><br/><br/>
<input name="BtnSubmit" type="submit" value="Submit">
</form>
</body>
</html>
CENG 449 Lecture 11
Slide 33 of 40
CENG 449 Lecture 11
Slide 34 of 40
<?php
$stFullName=$_POST['Fullname']; $stNumber=$_POST['stNumber']; $stGender=$_POST['YourGender'];
$dbhost = "localhost"; $dbuser = "root"; $dbpass = "";
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn ) {
die('Could not connect: ' . mysql_error()); }
echo 'Connected successfully';
$sql = "INSERT INTO studentInfoTable (stFullName,stNumber, stGender) VALUES
('$stFullName','$stNumber','$stGender')";
mysql_select_db('studentInfo');
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
die('Could not enter data: ' . mysql_error());
}
echo "Entered data successfully\n";
mysql_close($conn);
?>
CENG 449 Lecture 11
Slide 35 of 40
<html>
<body>
<h3>User Data Form</h3>
<form name="infoForm" method="POST" action= " process.php">
Enter Your Name :
<input name="FullName" type="text" placeholder="Name"><br/>
Enter Your SurName :
<input name="FullName" type="text" placeholder="Surname"><br/>
Enter Your Student Number :
<input name="stNumber" type="text" placeholder="Student Number"><br/>
You are :
<input name="YourGender" type="radio" value="male" > Male
<input name="YourGender" type="radio" value="female" > Female
<br/>
<input name="BtnSubmit" type="submit" value="Submit"> <br/><br/>
</form>
</body>
</html>
CENG 449 Lecture 11
Slide 36 of 40
<?php
$stName=$_POST['Name']; $stSurname=$_POST['Surname']; $stFullName=$Name." ".$Surname;
$stNumber=$_POST['stNumber']; $stGender=$_POST['YourGender'];
$dbhost = "localhost"; $dbuser = "root"; $dbpass = "";
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
$sql = "INSERT INTO studentInfoTable (stName, stSurname,stFullName,stNumber, stGender) VALUES
('$stName','$stSurname','$stFullName','$stNumber','$stGender')";
mysql_select_db('studentInfo');
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
die('Could not enter data: ' . mysql_error());
}
echo "Entered data successfully\n";
mysql_close($conn);
?>
CENG 449 Lecture 11
Slide 37 of 40
<html>
<body>
Search data in database
<h3>User Data Form</h3>
<form name="infoForm" method="POST" action= " process.php">
Enter Name to be Searhed :
<input name=“Name" type="text" placeholder="Name"><br/>
<input name="BtnSubmit" type="submit" value="Submit">
<br/>
</form>
</body>
</html>
CENG 449 Lecture 11
Slide 38 of 40
<?php
$stName=$_POST['Name'];
$dbhost = "localhost";
$dbuser = "root";
$dbpass = "";
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_select_db('studentInfo');
$sql = "SELECT * FROM studentInfoTable WHERE stName='$stName'";
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
die('Could not get data: ' . mysql_error());
}
while($row = mysql_fetch_array($retval)
{
echo "$row['stName'] $row['stSurname'] <br> ";
}
echo "Fetched data successfully\n";
mysql_close($conn);
?>
CENG 449 Lecture 11
Slide 39 of 40
CENG 449 Lecture 11
Slide 40 of 40