Recall that when submitting a form to the server, we need to be able to individually identify each input field. In previous examples, we used the id attribute to identify elements in the DOM. We will now use the name attribute to identify the elements that will sent to the server. Of course, both of these attributes can be used at the same time.
Each input field should be given a name attribute in the form name="a_meaningful_name". When the form is sent to the server (we’ll see shortly how to do this), you will be able to access these input fields using the specified name and extract the value corresponding to this input field.
Recall that tTo submit a form, we create a button with a type attribute of submit. When this button is selected, the form will be sent to the server. Submitting a form typically means that the browser navigates to the page indicated by the form’s action attribute. Below is a simple form with a button of type submit and an action attribute. In this form the action is a PHP function submit.php that runs server side and receives the form and returns data to the browser.
You may have noticed a second attribute associated with the form, method=POST. There are two types of protocols for sending information to the server, GET and POST. Each have their relative strenghts and weaknesses which we won’t get into at this point. For now, we will focus on the POST method.
Run this script, enter some text into each field and select the Log in submit button. After submitting, the server-side script will receive the name and password you typed, and return some information to you. We will soon learn how to handle these requests server-side (see PHP lectures).
Let’s now look at the server side PHP code submit.php. This code, which resides on the same server that hosts the webpage, contains just a few lines of code:
The first line <?php and last line ?> define the beginning and end of the PHP code. Everything between these lines is the code to be executed. In this example, the code consists of two lines, each of which simply prints some text (using the command print). This printed text is sent back to the client and displayed in place of the original form. This printed text can be something as simple as unformatted text, as in our example, or can also contain html code that will be properly interpreted by the browser. Regardless of what is printed in the PHP script, something has to be returned to the client to replace the page containing the submission form.
Let’s look more closely at these two lines of code. First, the print command is similar to the Javascript print command. This command prints what appears in quotes. And, like Javascript, commands in PHP end with a semicolon. In the above PHP code, The first line of code prints “Welcome” followed by the name entered by the user. We can extract this user-data sent by the form using:
$_POST["name"];
where the string in quotes is the name specfied by the input field in the form. The . between the string literal “Welcome” and this user-data is string concatentation.
The second command prints how many characters are in the user’s password. This is done by concatenating (using .) the string “, your password has” to the number of characters that we compute to the string " characters“. The number of characters is determined in two steps: we first extract the password sent to us by the form, $_POST["password"]; and then call the PHP function strlen to determine how long this string is. As with Javascript, strlen is a function that takes a single parameter as input. In our example, this parameter is a variable that contains the user-specified data.
The client-server communication is made easy for us because all of the details of the communication between the client and server are abstracted out. The only thing that we need to receive data from the client is to point the client form to our server-side PHP script, know the name of the input fields in the client form, and then extract that data using the $_POST["..."] notation.
You may be wondering about the $ in front of _POST["..."]. Variables in PHP are all proceeded with a $. This is done primarily because unlike in Javascript, variables are not explicitly declared before using them. For example, here is a version of the previous submit.php code in which the name password length are stored in variables, and then these variables are used in the print commands.
Although syntactically a little different from Javascript, conceptually, PHP and Javascript (and most other programming languages) are similar. Although we won’t describe all of the details of PHP, let’s look at a few basic constructs.
The basic data types include: string, integer, float, and boolean. PHP also supports arrays and objects. Below is an array with five elements, and each element of the array can be accessed with an integer index (starting at 0). Notice the similarity to arrays in Javascript. The only difference is that our variable name has a $ prefix and the array is defined with the function array(...), instead of [...]. As with Javascript, arrays in PHP are indexed starting at 0.
Conditionals in PHP take a similar form to Javascript (note though that elseif is one word). And, // are used for comments.
While- and for-loops in PHP also use the same syntax as in Javascript.
Massive to small data breaches have become a regular part of our lives. These are the somewhat inevitable consequence of the complexity of the systems that we have built, the collection of massive amounts of valuable information in one source, and the relative low-risk nature of hacking a system from the opposite side of the globe.
Organizations devote a significant amount of time and resources to constantly securing their users’ data. Perhaps one of the greatest vulnerabilities is the so called code-injection attack. These attacks work by entering computer code into a form’s input field (similar to the ones above) and then when this data is extracted on the server and, for example, inserted into a SQL database, the code is run and either deletes data or gives the adversary control of the server-side computer and database. Although we won’t go into detail here, you should be aware that there are mechanisms for protecting against code-injection and these absolutely must be taken in order to protect your site and your users’ data.