Signup/Sign In

PHP Form Handling Example

In this tutorial, we will create a simple HTML form with different types of inputs and then write PHP code for processing the form-data when submitted.

We will also learn some useful tips that can be utilized while processing the form-data like checking for empty input values, validating fields etc. So let's get started.


The HTML Form

We will be creating an HTML form with 2 text fields for name and email, 1 textarea for the user to provide a self-description(more like about me) and a radio button set for asking the user's gender.

Below we have the HTML code for the form.

<html>
    <body>

        <form action="form-handler.php" method="POST">
        
            Name: <input type="text" name="name"> <br/>
            Email: <input type="text" name="email"> <br/>
            
            About Me:<br/> 
            <textarea name="aboutme"></textarea> <br/>
            
            Gender: 
            <input type="radio" name="gender" value="female"> Female
            <input type="radio" name="gender" value="male"> Male
            <br/>
            <input type="submit" name="submit" value="Submit">
        </form>

    </body>
</html>

PHP form handling example


The PHP Code

In the above form we are asking the user for 4 different inputs, let's see how we can fetch the submitted values for the fields in PHP.

<?php

// getting the value of name field
$name = $_POST["name"];
// getting the value of the email field
$email = $_POST["email"];
// getting the value of the aboutme field
$aboutme = $_POST["aboutme"];
// getting the value of the radio buttons
$gender = $_POST["gender"];

?>

Easy, right? Yes, to access the form-data for different types of HTML form elements, all you need is $_POST.

But an HTML form is a great entry point for hackers to play around by entering script or some malicious code into the input fields to cause some error/issue in your PHP script.

To tackle with it, it's good to put some validations in the PHP code for validating the user inputs submitted in the form-data.


PHP Form Validation

Now we will learn some basic validations that can be easily applied to the submitted form-data to validate it before performing any action on it.

<?php

// getting the value of name field
$name = $_POST["name"];
// check if name is empty or not
if(empty($name)) {
    echo "Name is required";
}

?>

In the code above we are checking whether the user has entered name value in the form or not, similarly you can put a check on all the mandatory form fields.

To validate email address, there is a special function available in PHP which we can use to validate email addresses. The function is filter_var($email, FILTER_VALIDATE_EMAIL), let's see how it works.

<?php

// getting the value of the email field
$email = $_POST["email"];

// checking if the email value is valid
if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    echo "Email value invalid";
}

?>

The filter_var() function returns true for a valid email address and returns false for an invalid email address.

Validating a form in PHP depends on your requirements too. For example, if you don't have any mandatory fields in your form, then you don't have to worry about checking whether the submitted values are empty or not.

If you have email address field, we suggest you validate it.

You can even add more validations like checking the input for malicious codes like <script> tags using regular expressions.


What is $_SERVER["PHP_SELF"]?

Sometimes we can avoid having an extra PHP file to handle/process the form-data and can include the PHP code in the file with the HTML form itself.

In such scenarios, we will have to submit the form to the same webpage again, and we can use $_SERVER["PHP_SELF"] as the form action.

<form action="<?php echo $_SERVER["PHP_SELF"];  ?>" method="POST">

What this superglobal does is that it returns the filename of the current webpage, which then acts as the action script.

But as this returns the existing filename from the URL, you must be a little careful because users may inject some unwanted code from the URL, so to avoid it, we can use the htmlspecialchars() function to convert any special character in the string(URL in this case) into HTML entities.

So you should use,

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);  ?>" method="POST">