devLap
intermediate Step 9 of 16

Working with Forms and HTTP

PHP Programming

Working with Forms and HTTP

PHP was built for the web, and handling HTTP requests — especially form submissions — is one of its core strengths. Understanding how to receive form data, validate and sanitize input, manage sessions and cookies, and generate appropriate HTTP responses is essential for building web applications. PHP provides superglobal arrays like $_GET, $_POST, $_SESSION, and $_COOKIE that give you direct access to HTTP request data, making web development straightforward and intuitive.

Form Handling

<!-- HTML form -->
<form method="POST" action="process.php">
    <input type="text" name="username" required>
    <input type="email" name="email" required>
    <select name="role">
        <option value="user">User</option>
        <option value="admin">Admin</option>
    </select>
    <input type="checkbox" name="terms" value="1"> Accept Terms
    <button type="submit">Register</button>
</form>

<?php
// process.php
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    header('Location: /form.html');
    exit;
}

// Accessing form data
$username = $_POST['username'] ?? '';
$email = $_POST['email'] ?? '';
$role = $_POST['role'] ?? 'user';
$accepted_terms = isset($_POST['terms']);

// Validation
$errors = [];
if (empty(trim($username))) {
    $errors[] = "Username is required";
} elseif (strlen($username) < 3) {
    $errors[] = "Username must be at least 3 characters";
}

if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    $errors[] = "Invalid email address";
}

if (!$accepted_terms) {
    $errors[] = "You must accept the terms";
}

if (!empty($errors)) {
    // Return errors (in a real app, redirect back with errors)
    foreach ($errors as $error) {
        echo "<p class='error'>$error</p>";
    }
} else {
    // Process the valid data
    $sanitized_username = htmlspecialchars($username, ENT_QUOTES, 'UTF-8');
    $sanitized_email = filter_var($email, FILTER_SANITIZE_EMAIL);
    echo "Registration successful for $sanitized_username!";
}
?>

Sessions

<?php
session_start();

// Setting session data
$_SESSION['user_id'] = 123;
$_SESSION['username'] = 'Alice';
$_SESSION['logged_in'] = true;

// Reading session data
if (isset($_SESSION['logged_in']) && $_SESSION['logged_in']) {
    echo "Welcome back, {$_SESSION['username']}!";
}

// Authentication check function
function requireAuth(): void {
    session_start();
    if (!isset($_SESSION['user_id'])) {
        header('Location: /login.php');
        exit;
    }
}

// Login handler
function login(string $email, string $password): bool {
    // In a real app, fetch user from database
    $user = getUserByEmail($email);  // Hypothetical function
    if ($user && password_verify($password, $user['password_hash'])) {
        session_regenerate_id(true);  // Prevent session fixation
        $_SESSION['user_id'] = $user['id'];
        $_SESSION['username'] = $user['name'];
        $_SESSION['logged_in'] = true;
        return true;
    }
    return false;
}

// Logout
function logout(): void {
    $_SESSION = [];
    if (isset($_COOKIE[session_name()])) {
        setcookie(session_name(), '', time() - 3600, '/');
    }
    session_destroy();
    header('Location: /login.php');
    exit;
}
?>

Working with JSON APIs

<?php
// Receiving JSON requests
header('Content-Type: application/json');
$input = json_decode(file_get_contents('php://input'), true);

if (json_last_error() !== JSON_ERROR_NONE) {
    http_response_code(400);
    echo json_encode(['error' => 'Invalid JSON']);
    exit;
}

// Processing and responding
$name = $input['name'] ?? null;
if (!$name) {
    http_response_code(422);
    echo json_encode(['error' => 'Name is required']);
    exit;
}

$response = [
    'success' => true,
    'data' => ['id' => 1, 'name' => $name],
    'message' => 'User created successfully'
];

http_response_code(201);
echo json_encode($response, JSON_PRETTY_PRINT);

// Making HTTP requests with cURL
function apiRequest(string $url, string $method = 'GET', ?array $data = null): array {
    $ch = curl_init($url);
    curl_setopt_array($ch, [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HTTPHEADER => ['Content-Type: application/json', 'Accept: application/json'],
        CURLOPT_TIMEOUT => 30,
    ]);

    if ($method === 'POST') {
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
    }

    $response = curl_exec($ch);
    $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);

    return ['status' => $status, 'data' => json_decode($response, true)];
}
?>
Pro tip: Always use password_hash() and password_verify() for storing and verifying passwords — never store passwords in plain text or use MD5/SHA1. Call session_regenerate_id(true) after login to prevent session fixation attacks, and always sanitize output with htmlspecialchars() to prevent XSS.

Key Takeaways

  • Access form data with $_GET and $_POST superglobals; always validate and sanitize input.
  • Use filter_var() for validation and htmlspecialchars() for output sanitization to prevent XSS.
  • Sessions ($_SESSION) store server-side user data; use session_regenerate_id() after authentication.
  • Use password_hash() and password_verify() for secure password handling.
  • Set proper HTTP status codes and Content-Type headers when building JSON APIs.
arrow_back Error Handling and Exceptions Next: Database Access with PDO arrow_forward