PHP Question: Form Variables

22nd April 2011

Question

Given the following form:

  1.  

How would you get hold of the value of the input box after the form is submitted?










Answer

To get hold of the input box here we would use the $_POST superglobal array. This array is filled in with everything that was submitted from the form, including the value of the submit button. It is a good idea to use the isset() function to check to see if the value has been set before asking for it or your code will produce warnings and notices.

  1. if (isset($_POST['text'])) {
  2. $text = $_POST['text'];
  3. }

We use the $_POST superglobal because the method of the form is 'post'. If the method was left out, or set to 'get' then we would use the $_GET superglobal array instead. This works in the same way as $_POST.

It is theoretically possible to get hold of this data using the $_REQUEST superglobal, as in the following example.

  1. if (isset($_REQUEST['text'])) {
  2. $text = $_REQUEST['text'];
  3. }

The $_REQUEST superglobal array will take the value of a variable in the $_COOKIE, $_GET, $_POST superglobals. The thing is that any $_COOKIE value will override any $_GET and $_POST variable, which means that if an attacker manages to set a cookie on the user's machine they can override any form data they submit. This is especially dangerous if this is password information. As of PHP 5.3 the request_order directive can be used to change the order of the way in which the $_REQUEST variable is filled, but can also be made to ignore the $_COOKIE value altogether. It is, however, best to avoid using the $_REQUEST variable for now as it is considered somewhat insecure.

Of course, just accepting values from the $_GET and $_POST superglobal arrays is very dangerous. It is essential to use functions like strip_tags() and some form of escaping function to avoid security issues like SQL injection attacks or cross site sripting. To escape a string you can either use addslashes() or the preferred database specific funtions like mysql_real_escape_string(), but beware that you need an active database connection to use those sort of functions. The below example is of a dodgy string that a user might try to enter in order to cause a popup box to be shown when it is printed out to the browser. The attack is prevented by striping tags and escaping it properly.

  1. $input = '<script type="text/javascript">
  2. <!--//--><![CDATA[// ><!--
  3. alert("boo!");
  4. //--><!]]>
  5. </script>';
  6.  
  7. $text = addslashes(strip_tags($input));
  8.  
  9. mysql_connect('hostname', 'username', 'password');
  10.  
  11. echo $text;

The $text variable now contains "alert('boo');" and will not be executed if printed out. Similarly any SQL injection attacks would also fail because the injection code would be overridden and inserted as is into the database. This knowledge is fairly simple but is an essential part of a PHP developers skillset.

Comments

Permalink

I guess it could be something like $value = addslashes($_POST["text"]);

Mihai Baboi (Sat, 04/23/2011 - 11:18)

Permalink

Concerning form data you should prefer to use PDO and prepared statements in order to prevent SQL injections.

Greats from Germany
Jan

Jan (Thu, 09/08/2011 - 18:07)

Add new comment

The content of this field is kept private and will not be shown publicly.