Form Basics & Security

Topics Covered in This PHP & MySQL Tutorial:

POST vs. GET Methods, Radio Buttons, Checkboxes, & Select Fields, Legacy Magic Quotes Handling, XSS Security Protection, Creating Reusable Functions

Exercise Overview

In this comprehensive exercise, you'll master the fundamentals of secure PHP form processing—skills that remain essential in 2026's web development landscape. You'll explore the critical differences between POST and GET methods, learn to handle complex form elements like radio buttons, checkboxes, and select fields, and most importantly, implement robust security measures to protect against XSS (cross-site scripting) attacks. These techniques form the backbone of secure web application development.

Setting up a Basic Form

Let's begin by establishing a solid foundation with a simple signup form that demonstrates core PHP form processing principles.

1. In your code editor, open form.php from the form-basic folder in the phpclass directory.

   This signup page serves as our testing ground for implementing professional PHP form handling techniques.

2. Locate the <form> tag around line 13:

   <form action="" method="get" name="signup" id="signup">

   Notice the empty action attribute and the method set to get. Understanding these two method options is crucial: GET exposes form data in the URL parameters, while POST transmits data in the request body, keeping it hidden from casual observation. We'll demonstrate both approaches to illustrate their distinct use cases.

3. Connect the form to its processing script by updating the action attribute. We've prepared form-action.php to handle the submitted data. Modify the <form> tag as follows:

   <form action="form-action.php" method="get" name="signup" id="signup">

4. Save the file to preserve your changes.

5. Now we'll implement the server-side processing logic. When forms are submitted using the GET method, PHP automatically populates the global $_GET superglobal array with the form data.

   To access specific form fields, use this syntax: $_GET['fieldname']. For example, $_GET['email'] retrieves the email field value.

   Similarly, POST submissions populate the $_POST array, accessed via $_POST['fieldname']. This distinction is fundamental to PHP form processing.

6. Open form-action.php from the form-basic folder to implement our processing logic.

7. Add debugging code to visualize the submitted data structure. Insert this PHP block immediately after the opening <body> tag:

   <?php 
   
      print_r($_GET);
   
   ?>

   The print_r() function provides a human-readable representation of arrays, invaluable for development and debugging.

8. Test your implementation by navigating to the form in your browser:

   • Mac: localhost:8888/phpclass/form-basic/form.php
   • Windows: localhost/phpclass/form-basic/form.php

   Remember: we're accessing form.php (the form itself), not the form-action.php processor.

9. Complete and submit the form with sample data to observe the GET method in action.

10. The action page will display the submitted data in array format, similar to:

    Array ( [name] => Jeremy Kay [email] => jeremy@jeremy.com [level] => expert [publications] => Elle [howoftentrack] => daily [comments] => This form is great! [submit] => Sign Me Up! )

11. Examine the URL carefully—you'll notice all form data is exposed in the query string:

    http://localhost:8888/phpclass/form-basic/form-action.php?name=Jeremy+Kay&email=jeremy%40jeremy.com&level=expert&publications=Daily+Racing+Form&publications=Elle&howoftentrack=daily&comments=This+form+is+great!&submit=Sign+Me+Up!

    When formatted for clarity, the URL structure becomes apparent:

    http://localhost:8888/phpclass/form-basic/form-action.php
    ?name=Jeremy+Kay
    &email=jeremy%40jeremy.com
    &level=expert
    &publications=Daily+Racing+Form
    &publications=Elle
    &howoftentrack=daily
    &comments=This+form+is+great%21
    &submit=Sign+Me+Up%21

    The URL structure follows a predictable pattern: the base URL followed by a ? separator, then field-value pairs connected with & characters. Special characters undergo URL encoding (spaces become + signs, special characters become percent-encoded values) to ensure valid URLs.

POST vs. GET: Choosing the Right Method

While GET has legitimate uses (search forms, navigation), it presents significant limitations for form processing. GET exposes data in URLs, creating security vulnerabilities and enabling easy manipulation. Additionally, URL length restrictions can truncate extensive form data. For these reasons, POST remains the professional standard for form submissions, especially those containing sensitive or substantial data.

1. Return to your code editor to implement the more secure POST method.

2. In form.php, update the form method to POST:

   <form action="form-action.php" method="post" name="signup" id="signup">

3. Save your changes.

4. Switch to form-action.php to update the processing logic.

5. Remove the print_r() debugging code and its surrounding PHP tags—we'll implement more sophisticated output handling.

6. Add professional form data display code. Update the Name and Email sections with individual field processing:

   <p><strong>Name:</strong> <?php echo $_POST['name']; ?></p>
   <p><strong>Email:</strong> <?php echo $_POST['email']; ?></p>

7. Test the POST implementation by navigating to your form:

   • Mac: localhost:8888/phpclass/form-basic/form.php
   • Windows: localhost/phpclass/form-basic/form.php

8. Submit the form and verify that the name and email display correctly. Notice how the URL remains clean—no sensitive data exposure.

Mastering Radio Buttons, Checkboxes, & Select Fields

Complex form elements require sophisticated handling techniques that separate professional developers from amateurs. Radio buttons and checkboxes present unique challenges: unselected elements don't submit at all, and multiple-selection elements need array processing. Let's implement robust solutions for these scenarios.

The key insight: PHP requires explicit array notation for multi-value inputs. Any form element accepting multiple values must append [] to its name attribute, signaling PHP to collect all values into an array rather than overwriting previous values.

1. Return to your code editor and open form.php.

2. Locate the "What do you read?" checkbox section around line 31. Update the name attributes to enable proper array handling:

   <label><input name="publications[]" type="checkbox" id="publications_drf" value="Daily Racing Form"> Daily Racing Form</label>
   <label><input name="publications[]" type="checkbox" id="publications_elle" value="Elle"> Elle</label>

   Critical note: modify only the name attributes, never the id attributes, which must remain unique for proper HTML validation and accessibility.

3. Save your changes and switch to form-action.php.

4. Implement defensive programming for radio button processing. Find the Level section around line 11 and add robust validation:

   <p><strong>Level:</strong> 
      <?php 
   
      ?>
   </p>

5. Add existence checking to prevent PHP errors when users skip radio selections:

   <p><strong>Level:</strong>
      <?php
         if ( isset($_POST['level']) ) {
   
         }
      ?>
   </p>

   The isset() function prevents the common mistake of assuming form elements always exist. Unselected radio buttons simply don't appear in the POST data.

6. Complete the radio button processing logic:

   <p><strong>Level:</strong> 
      <?php 
         if ( isset($_POST['level']) ) {
            echo $_POST['level']; 
         }
      ?>
   </p>

7. Implement sophisticated checkbox array processing. Locate the Publications section around line 18 and add the processing framework:

   <p><strong>Publications:</strong> 
      <?php 
   
      ?>
   </p>

8. Add defensive programming for checkbox arrays:

   <p><strong>Publications:</strong>
      <?php
         if ( isset($_POST['publications']) ) {
   
         }
      ?>
   </p>

9. Implement professional array-to-string conversion using PHP's powerful implode() function:

   <p><strong>Publications:</strong>
      <?php
         if ( isset($_POST['publications']) ) {
            echo implode(', ', $_POST['publications']);
         }
      ?>
   </p>

   The implode() function elegantly transforms arrays into formatted strings. The first parameter defines the delimiter (here, comma-space), while the second specifies the array to process. This technique proves invaluable for creating readable output from multi-value form elements.

10. Complete the form processing by handling the remaining simple fields. Add the tracking frequency output:

    <p><strong>How often track:</strong> <?php echo $_POST['howoftentrack']; ?></p>

11. Handle the comments field with enhanced formatting. Create a separate paragraph for better visual presentation:

    <p><strong>Comments:</strong></p>
    <p><?php echo $_POST['comments']; ?></p>

12. Test your comprehensive form processing:

    • Mac: localhost:8888/phpclass/form-basic/form.php
    • Windows: localhost/phpclass/form-basic/form.php

13. Submit a complete form and verify all elements display correctly.

14. Test the comments field with multi-line input. Enter content like this in the comments field:

    This is a great form!
    And the comments field is spectacular.

15. Submit the form and observe that line breaks disappear in the output—a common issue requiring specific handling.

16. Return to your code editor to implement line break preservation.

17. Apply PHP's nl2br() function to convert newlines to HTML break tags:

    <p><strong>Comments:</strong></p>
    <p><?php echo nl2br($_POST['comments']); ?></p>

    The nl2br() function preserves user formatting by converting newline characters to <br> tags, essential for maintaining readability in multi-line text.

18. Test the enhanced comments processing:

    • Mac: localhost:8888/phpclass/form-basic/form.php
    • Windows: localhost/phpclass/form-basic/form.php

19. Verify that line breaks now display correctly in the comments output.

Understanding Legacy Magic Quotes

Magic Quotes represent a deprecated PHP security feature from earlier web development eras (removed entirely in PHP 5.4, 2012). This legacy system automatically escaped quotes in user input—a primitive attempt to prevent SQL injection attacks. However, Magic Quotes proved inadequate for real security and created formatting issues with escaped characters appearing in output. While modern PHP installations (and certainly by 2026) have eliminated this feature, understanding its behavior helps when maintaining legacy systems or working with older hosting environments.

Identifying Magic Quotes Behavior

1. Test for Magic Quotes behavior by navigating to your form:

   • Mac: localhost:8888/phpclass/form-basic/form.php
   • Windows: localhost/phpclass/form-basic/form.php

2. Enter a name containing an apostrophe: Peter O'Toole.

3. Submit the form and examine the output.

4. If Magic Quotes were active, you'd see: Peter O\'Toole with an unwanted backslash.

   If no backslash appears, you're running modern PHP where Magic Quotes have been properly removed. You can skip the next diagnostic section and proceed directly to Securing the Page.

Diagnosing PHP Configuration (Legacy Systems Only)

1. Open test-magic-quotes.php from the phpclass folder to examine your PHP configuration.

2. Examine the diagnostic code:

   <?php phpinfo(); ?>

   The phpinfo() function generates comprehensive system information about your PHP installation—invaluable for debugging configuration issues on both development and production servers.

3. View the PHP configuration in your browser:

   • Mac: localhost:8888/phpclass/test-magic-quotes.php
   • Windows: localhost/phpclass/test-magic-quotes.php

4. Search for magic_quotes_gpc using Cmd–F (Mac) or Ctrl–F (Windows).

   If this setting doesn't appear, you're running modern PHP where Magic Quotes have been completely removed—the preferred situation for 2026 development.

5. For systems still showing Magic Quotes, the value should read "Off". Modern development environments like XAMPP disable this by default.

6. If using older MAMP versions with Magic Quotes enabled, access MAMP Pro settings.

7. Navigate to the PHP tab and select an appropriate PHP version (5.6.X or newer recommended).

8. Access File > Edit Template > PHP > PHP 5.6.X php.ini.

9. Acknowledge any warnings and locate the Magic Quotes setting around line 381.

10. Explicitly disable Magic Quotes:

    magic_quotes_gpc = Off

11. Save the configuration file and restart the server using the Stop/Start buttons in MAMP Pro.

12. Verify the change by reloading the phpinfo() page and confirming Magic Quotes shows as "Off".

Securing the Page: Essential XSS Protection

Here's the critical security principle every professional developer must understand: never trust user input. Our current implementation contains a dangerous vulnerability—any user could inject malicious HTML or JavaScript that executes in other users' browsers. This represents a classic Cross-Site Scripting (XSS) attack vector that has compromised countless web applications.

Let's demonstrate this vulnerability, then implement professional-grade protection that remains current with 2026 security standards.

1. Observe the security vulnerability in action by navigating to your form:

   • Mac: localhost:8888/phpclass/form-basic/form.php
   • Windows: localhost/phpclass/form-basic/form.php

2. In the Name field, enter this HTML code:

   <i>Your Name</i>

3. Submit the form and observe that the text appears italicized in the output.

   This demonstrates successful HTML injection. While italics seem harmless, consider the implications: if HTML works, so does JavaScript. Malicious users could inject scripts to steal user sessions, redirect to phishing sites, or perform unauthorized actions. This vulnerability could compromise your entire application and user base.

   The professional solution involves input sanitization using PHP's htmlentities() function. This function converts potentially dangerous HTML characters into safe display entities. For example, <i> becomes <i>, which displays as literal text rather than executing as HTML.

4. Return to your code editor and open form-action.php.

5. Create a reusable sanitization function at the document's beginning, before the <!DOCTYPE HTML> declaration:

   <?php 
      function sanitizeInput() {
   
      }
   ?>

   Custom functions promote code reusability and maintainability—hallmarks of professional development.

6. Design the function to accept input, process it, and return sanitized output:

   function sanitizeInput($myInput) {
      //Processing logic here
      return $myInput;
   }

   This structure follows the input-process-output pattern fundamental to secure programming.

7. Implement the first sanitization step—whitespace trimming to remove accidental spaces:

   function sanitizeInput($myInput) {
      $myInput = trim($myInput);
      return $myInput;
   }

   The trim() function removes leading and trailing whitespace, preventing formatting issues and potential security edge cases.

8. Apply the sanitization function to critical form fields. Update the name field processing:

   <p><strong>Name:</strong> <?php echo sanitizeInput($_POST['name']); ?></p>