1

Chapter 6 – Creating Web Forms and Validating User Input

spring into PHP 5by Steven Holzner

Slides were developed by Jack Davis

College of Information Scienceand Technology

Radford University

2

Developing Web Applications

• In developing web application, building the forms is just the first step in collecting data. Validating input data must be done to avoid wasted processing and to reduce effective response time.

A typical code structure that validates data might be:

validate_data();

if (count($errors) != 0) { display_errors(); display_welcome(); }else { process_data(); }

3

Displaying All Form Data

• Here's a program that will display all the data being sent to the server program, a very useful debugging tool

<?php foreach($_REQUEST as $key => $val) { if(is_array($val)) { foreach($val as $item) { echo $key, " => ", $val, "<br />"; } } else { echo $key, " => ", $val, "<br />"; } }?>

4

Server Variables

• There's a special superglobal array, $_SERVER, that contains a great deal of information about what's going on with your web application. For example, $_SERVER['REQUEST_METHOD'] holds the request method that was used ("GET", "POST", and so on)

'AUTH_TYPE' holds the authentication type'DOCUMENT_ROOT' root directory under which the script is executing, defined in server config'GATEWAY_INTERFACE' revision of the CGI spec. that the server is using, i.e., CGI/1.1'PHP_SELF' filename of the currently executing script'REMOTE_ADDR' ip address from which the user is viewing the current page

5

Server Variables (cont.)

• 'REQUEST_METHOD' request method used to access the page -- GET, POST, HEAD, PUT

'SERVER_NAME' name of the server host under which the script is executing

there are more see page 170 & 171 in your text

6

Useful HTTP Headers

• A number of HTTP headers are built into the $_SERVER array as well. For example, $_SERVER['HTTP_USER_AGENT'] holds the type of the user's browser.

Some of the other entries --

'HTTP_REFERER' the address of the page (if any) that referred the user agent to the current page.

'HTTP_USER_AGENT' text in the user_agent: header from the current request, if there is one. Denotes the browser that is accessing the page.

7

Redirecting with HTTP Headers

• You can read and create HTTP headers to send back to the browser. The header() function is used to create HTTP headers

in the following script:the button value in the form has one of the following values (the names of php files)phpbuttonsphplistboxphptextarea

To redirect via a php script

<?php $redirect = "Location: " . $_REQUEST['Button'] . ".html";

echo header($redirect);?>

redirecting is often used with image maps

8

Custom Arrays for Form Data

• You can use PHP to create a custom array for form data by giving each text field control a name with square brackets

Set the name attribute in the form field as in the following<input name="textdata[name]" type="text" size="20" maxlength="30" />

in the receiving script<?php $text = $_REQUEST['textdata']; echo $text['name'];?>

9

Single PHP Page Application

• Many web applications are written with a single PHP page. Say you wanted to get a single piece of data (like name) from a user and then you wanted to display that name with some other request for data

<html><head><title>Single PHP Page</title></head><body> <h2>Using Text Fields</h2> <?php if (isset($_REQUEST["Name"])) { ?> <h2> Using Text Fields</h2> <p>Your name is:<?php echo $_REQUEST["Name"] } else {?><form method="post" action="phptext.php">What's your name?<input name="name" type="text" /><br /><br/>

10

Single Page App (Cont.)

<input type="submit" value="submit" /></form>

<?php }?>

</body></html>

11

Validating Data

• assume we're getting a name in a text field

If there's no entry in the text field we can check like in the following

function validate_data(){ global $errors; if ($_REQUEST["Name"] == "") { $errors[] = "<span style=\"border-style:red; color:blue;\"> . Please enter your name. </span>"; }}

Note the structure for an php/html documentthat includes a validating function.

((slide 2)) pp. 181-185 in your text

12

Regular Expressions

• PHP can implement regular expressions for pattern matching. This is the way most validation of entered data is accomplished.

Here are three functions used in pattern matching.

ereg(), split(), ereg_replace

Use ereg(), to check if a string contains a match pattern:

$ret = ereg("search pattern", "target string");

$ret will be set to 1if the pattern is found 0 otherwise

search pattern is the regular expression

target string is the string to be searched

13

Pattern Matching Example

• $name = 'Jake Jackson';$pattern = 'ke';if (ereg($pattern, $name)) { print ("Match"); }else print ("No match");

outputs match since "ke" is found

regular expressions are defined by an industry standard IEEE POSIX 1003.2 standard

there are several special characters that can be used to build patterns

^ means the pattern must appear at the start of the target string

$ means the pattern must appear at the end of the target string

14

Pattern Matching Characters

•+ matches 1 or more occurrences

* matches 0 or more occurrences

? matches 0 or 1 occurrences

. wildcard symbol matches any single character

| or symbol either pattern can be matched

[] any of the included set can be matched ^ at the beginning of the set means not these characters

{} specify a number of repetitions of a character in the pattern

-- note there are more, but these provide a good start

15

Pattern Matching Example

• suppose we want to test to see that a client inputs a valid area code

first -- what do we know about area codes -- 3 digits -- first digit can't be 0 -- can't be 911

• remember we can group characters using parentheses

16

Predefined Character Classes

• there are several predefined character classes that are typically used in pattern matching regular expressions

[[:space:]] matches a single space

[[:alpha:]] matches any word character (uppercase or lowercase letters)

[[:upper:]] matches any single uppercase letter

[[:lower:]] matches any single lowercase letter

[[:digit:]] matches any valid digit (0-9)

[[:punct:]] matches an punctuation mark (? , . " ' ! ; : )

17

Using split()

• use split() to break a string into different pieces based on the presence of a match pattern

$output = split(search_patt, target_st, max);

$output -- is an array variable that will contain the matches

search_patt -- this is the pattern to be matched

target_st -- the string to be searched

max -- maximum number of matches to make (this parameter is optional)

$line = 'Baseball, hot dogs, apple pie';$item = split ( ',' ,$line);

$item[0] will contain Baseball$item[1] will contain hot dogs$item[2] will contain apple pie

18

eregreplace()

• works like ereg, but a second string is specified to replace the part of the target string that matches the pattern

$start = 'AC1001:Hammer:15:150';

$end = eregreplace('Hammer', 'Drill', $start);

$end will now contain 'AC1001:Drill:15:150'

19

Removing HTML Tags from Input

• something you must watch out for --- html in a user's text box, especially if you're going to display that text. Malicious users can put some nasty HTML (including JavaScripts) into submitted text, which would be executed if you display that text in a browser. You can use the PHP strip_tags function to remove all HTML tags from text.

function process_data(){ $ok_text = strip_tags($_REQUEST["name"]); }

• if you don't want to strip HTML tags, but you want to render them harmless, you can use the htmlentities function instead, which encodes HTML tags. For example, <b>Charles</b> would be converted to &lt;b&gt;Charles&lt;/b&gt;a browser will display this as <b>Charles</b>

20

Validating with JavaScript

• using JavaScript embedded in an input form provides for validation of data before it's sent to the server.

<form name="fm1" action="servpg.php" method="post" onsubmit="return checker()" >

once the user clicks on the submit button the checker() javascript will be run. It can do pattern matching and other validation on the data in the form fields. If it returns false, the query string will not be sent to the server application. If it returns true, it will. If the javascript detects a problem with the data it can post a message to the user (typically using a dialog box) which will prompt them to correct the data. After the correction is made the user can submit the data again.

21

HTTP authentication

• PHP allows you to determine whether the user has been authorized by checking the PHP_AUTH_USER key in $_SERVER. If $_SERVER['PHP_AUTH_USER'] has been set , the user is welcomed by name - otherwise, the script is terminated with the PHP exit function.

<?php if (!isset($_SERVER['PHP_AUTH_USER'])) { header('WWW-Authenticate: Basic realm="workgroup"'); header('HTTP/1.0 401 Unauthorized'); echo 'Sorry, you are not authorized.'; exit; } else { echo "Welcome, $_SERVER['PHP_AUTH_USER']."; }?>