CHAPTER 4 (Notes)
CHAPTER 4 (Notes)
4.1 Creating a webpage with GUI Components, Browser Role- GET and POST Methods, Server
Role
4.2 Form Controls- Text Box, Text Area, Radio Button, CheckBox, List, Buttons
4.3 Working with Multiple Forms- A web page having many forms, A form having multiple
submit Buttons
4.6 Session - Use of Session, Start Session, get session variables, destroy session
Creating Webpages :
• PHP was designed as a web-scripting language, the majority of Web accounts uses PHP for
web page creation.
• A dynamic website may have forms, sessions, and sometimes redirection etc.
• This protocol governs how web browsers request files from web servers and how the servers
send the files back.
Variables:
• PHP creates six global arrays that contain the EGPCS information.
$_COOKIE: Contains any cookie values passed as part of the request, where the keys of the
array are the names of the cookies.
$_GET: Contains any parameters that are part of a GET request, where the keys of the array are
the names of the form parameters.
$_POST: Contains any parameters that are part of a POST request, where the keys of the array
are
Variables:
$_ENV: Contains the values of any environment variables, where the keys of the array are the
names
• These variables are not only global, but are also visible from within function definitions.
• The $_SERVER array contains a lot of useful information from the web server.
• Much of this information comes from the environment variables required in the CGI
specification.
• When a web browser requests a web page, it sends an HTTP request message to a web server.
• The request message always includes some header information, and it sometimes
also includes a body.
• This line specifies an HTTP command, called a method, followed by the address of a document
and
• After this initial line, the request can contain optional headerinformation that gives
the server additional data about the request.
• For Example:
User-Agent: Mozilla/5.0 (Windows 2000; U) Opera 6.0 [en] Accept: image/gif, image/jpeg,
text/*, */*
• The User-Agent header provides information about the web browser, while the Accept header
• After any headers, the request contains a blank line to indicate the end of the header section.
• The request can also contain additional data, if that is appropriate for
• If the request doesn’t contain any data, it ends with a blank line.
• The two most common HTTP methods are GET and POST.
• The GET method is designed for retrieving information, such as a document, an image, or the
• The POST method is meant for posting information, such as a credit card number or
information
• The GET method is what a web browser uses when the user types in a URL or clicks on a link.
• When the user submits a form, either the GET or POST method can be used, as specified
• A GET request encodes the form parameters in the URL in what is called a query string; the
text
/path/to/chunkify.php?word=despicable&length=3
• A POST request passes the form parameters in the body of the
• The most visible difference between GET and POST is the URL line. Because all of a form’s
parameters are encoded in the URL with a GET request, users can bookmark GET queries.
They
• The HTTP specification says that GET requests are idempotent— that is, one GET request for
a
particular URL, including form parameters, is the same as two or more requests for that URL.
• Thus, web browsers can cache the response pages for GET requests, because the response
page
• Because of idempotent, GET requests should be used only for queries such as splitting
a word into smaller chunks or multiplying numbers, where the response page is never going to
change.
• POST requests are not idempotent. This means that they cannot be cached, and the server is
• What you need to remember is that GET requests should not be used for any actions that
cause a
<html>
<head> </head>
<body>
</form>
</body>
</html>
PHP Script:
<html>
<head> </head>
<body>
<font size=5>
<?php
$user=$_GET['uname'];
$pass=$_GET['pwd'];
echo "The user " .$user . " has logged in with Password " .$pass;
?>
</font>
/body>
</html>
<html>
<head> </head>
<body>
</form>
</body>
</html>
PHP Script:
<html>
<head> </head>
<body>
<font size=5>
<?php
$user=$_POST['uname'];
$pass=$_POST['pwd'];
echo "The user " .$user . " has logged in with Password " .$pass;
?>
</font>
</body>
</html>
• GET
• Since the data sent by the GET method are displayed in the URL, it is possible to bookmark
the
• GET requests can be cached and GET requests to remain in the browser history.
• POST
• It is more secure than GET because user-entered information is never visible in the URL
query string or in the server logs.
• There is a much larger limit on the amount of data that can be passed and one can send text
• The GET method is not suitable for passing sensitive information such as the username and
password, because these are fully visible in the URL query string as well as potentially stored in
• Because the GET method assigns data to a server environment variable, the length of the URL
is
• POST
• Since the data sent by the POST method is not visible in the URL, so it is not possible to
bookmark the page with a specific query.
Form Controls:
• <input> Element: The most important form element is the <input> element.
• The <input> element can be displayed in several ways, depending on the type attribute.
• If the type attribute is omitted, the input field gets the default type: "text".
• The <option> elements defines an option that can be selected. By default, the first item in the
Form Controls:
4. input type=“file” Creates a text box plus button that opens a file
selection dialog
9. select A listbox
Example:
<html>
<body>
<input type="submit">
</form>
</body>
</html>
Example:
<?php
$name = $_GET["name"];
$age = $_GET["age"];
echo "Your name is ". $name . " and you are ". $age . " years old“;
?>
Output:
• When a form is submitted to a PHP script, PHP automatically creates a special $_POST or
$_GET
• Values entered into the form input fields are automatically converted to key-value
pairs in this array and can then be accessed using regular array notation.
• When the form is submitted, the submit button itself becomes an element in the $_POST array,
with a key corresponding to its "name". This is clearly visible by adding the line:
• You can look inside the array and clearly see the correspondence between the form controls
and
<html><head>Multi-button form</head>
<body>
</form>
</body>
</html>
• Since both submit buttons will invoke the same PHP form processor, the PHP script must be
revised to "know" which one was clicked so it can respond appropriately.
• Since you already know that the submit button appears in the$_POST PHP array and is keyed
by its "name" attribute, it's simple to
(1) give each submit button in the form a unique name and
(2) write a simple "if" test at the top of the PHP form processor to see which of the two keys
appears in the
<html>
<head> </head>
<body>
<font size=5>
<?php
if (!empty($_POST['add'])) {
print_r($_POST['number']+10);
else if (!empty($_POST['subtract'])) {
print_r($_POST['number']-10);
else{ print_r($_POST['number']); }
?>
</font>
</body>
</html>
• Depending on which button gets clicked, the appropriate value is passed to the
processing script and the corresponding "case" block is invoked.
• If you have a large number of submit buttons to deal with, this approach is easier to read and
An alternative to previous Example is giving all the submit buttons the same name, but different
values:
<html>
<body>
Enter a number: <input type="text" name="number_1" size="3"> <br> Enter another number:
<input
<br>
</form>
</body>
</html>
<?php
($_POST['number_1']+$_POST['number_2']);
break;
($_POST['number_1']-$_POST['number_2']);
break;
($_POST['number_1'] * $_POST['number_2']);
break;
} ?>
Webpage Validation:
Refer: https://www.w3schools.com/php/php_form_validation.asp
2) Server Side Validation - After submitted by data, The data has sent to a server and perform
Webpage Validation:
$_SERVER["REQUEST_METHOD"].
• If the REQUEST_METHOD is POST, then the form has been submitted - and it should be
validated.
• If it has not been submitted, skip the validation and display a blank form.
• htmlspecialchars() function: All the variables should be passed through this PHP function.
• The html special chars() function converts special characters into HTML entities.
• This means that it will replace HTML characters like < and > with < and >.
• This prevents attackers from exploiting the code by injecting HTML or Javascript code
(Cross-site Scripting attacks) in forms.
<script>location.href('http://www.google.com')</script>
• Then this would not be executed, because it would be saved as HTML escaped code, like this:
<script> location.href('http://www.hacked.com')</script>
• PHP trim(): It is used to strip unnecessary characters (extra space, tab, newline) from the user
input data
• Remove backslashes (\) from the user input data (with the PHP stripslashes() function)
• The next step is to create a function that will do all the checking for us (which is much more
convenient than writing the same code over and over again).
function test_input($data)
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
• In the following code we have added some new variables: $nameErr, $emailErr, $genderErr,
and $websiteErr.
• These error variables will hold error messages for the required fields.
empty() function).
• If it is empty, an error message is stored in the different error variables, and if it is not
empty, it sends the user input data through the test_input() function.
whitespace?",
• The code below shows a simple way to check if the name field only contains letters and
whitespace. If the value of the name field is not valid, then store an error message:
$name = test_input($_POST["name"]);
}
• The preg_match() function searches a string for pattern, returning true if the pattern exists,
and false otherwise.
Valid URL:
• The code below shows a way to check if a URL address syntax is valid (this regular expression
also allows dashes in the URL).
• If the URL address syntax is not valid, then store an error message:
$website = test_input($_POST["site"]);
* [-a-z0-9+&@#\/%=~_|]/i", website))
Valid Email:
• The easiest and safest way to check whether an email address is to use PHP's filter_var()
function.
• In the code below, if the e-mail address is not well-formed, then store an error message:
$email = test_input($_POST["email"]);
if (!filter_var($email, FILTER_VALIDATE_EMAIL))
• Above syntax will verify whether given Email address is well-formed or not. If it is not, it will
show an error message.
Valid Email:
<?php
$email = "[email protected]";
// Validate e-mail
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
} else {
?>