Reading Out Form Data

Reading Out Form Data

At the beginning, reading out form data was very easy: If the form field had the name attribute "whatever" or, in newer versions of HTML/XHTML, the id attribute "whatever" , PHP creates a variable $whatever in the global scope. This is very convenient , but, from an architectural point of view, is a bad idea. Therefore, this was disabled by default from PHP version 4.2 onward, using the following php.ini directive:

register_globals = Off

Since PHP 3, the following global arrays existed for form data:

• $HTTP_GET_VARS All data provided using GET

• $HTTP_POST_VARS All data provided using POST

• $HTTP_REQUEST_VARS All data provided using GET or POST , or via cookies (use not recommended)

These arrays are global; therefore, you have to use the global keyword to uplevel them to global scope if you use them within a function:

function processData() {
  global $HTTP_POST_VARS;
  // now you may access $HTTP_POST_VARS
}

However, these arrays can be deactivated (PHP 5 onward), as well, using this php.ini directive:

register_long_arrays = Off

Therefore, the following is the only recommended method to access form data today in PHP:

• $_GET for GET data

• $_POST for POST data

• $_REQUEST for POST , GET , and cookies (not recommended)

The keys of these arrays are the names of the form values. The $_* arrays are so-called superglobal arraysthat is, you do not have to use the global keyword to get them into global scope; they are already available within functions.

When you have decided which superglobal array to use (depending on the form's method ), accessing form data is easy: $_GET[<formfieldname>] or $_POST[<formfieldname>] retrieves the value in the form element. Table 4.1 shows which data is returned for which form field type.

Table 4.1. Form Field Types and Data Returned in $_GET / $_POST

TIP Two remaining form field types, graphical Submit buttons and file uploads, are covered specifically later in this chapter.

Coping with "Magic Quotes"

if (get_magic_quotes_gpc()) {


$_GET  = stripFormSlashes($_GET);


$_POST = stripFormSlashes($_POST);


}

If the configuration setting magic_quotes is set to "On" , all data coming in from external sources, including form data and cookies, gets special treatment. All quote characters , " and ' , are escaped using the backslash character ( \ ). Therefore, if the user enters It's my life into a text field, the value found in $_GET or $_POST is It\'s my life . This was originally implemented to avoid Structured Query Language (SQL) injection (see Chapter 8, "Using XML," for more details on that), but isespecially for experienced programmersvery annoying. The only thing that is even more annoying is to remove these quotes manually for every form field.

Stripping Slashes , If They Were Added by "Magic Quotes" (stripFormSlashes.inc.php)

<?php
  function stripFormSlashes($arr) {
    if (!is_array($arr)) {
      return stripslashes($arr);
    } else {
      return array_map('stripFormSlashes', $arr);
    }
  }

  if (get_magic_quotes_gpc()) {
    $_GET  = stripFormSlashes($_GET);
    $_POST = stripFormSlashes($_POST);
  }
?>

The PHP function stripslashes() removes escape backslashes from strings. However, this function can only be called if "magic quotes" have been applied; otherwise , it destroys backslashes that were added on purpose. You can determine whether "magic quotes" are active by calling the Boolean function get_magic_quotes_gpc() . If this returns TRue , all slashes can be removed. To make this as convenient as possible, you can put this in a universal function called stripFormSlashes() . Using array_map() , all elements of an array are unslashed.

This file can then be included into all files that are processing form data and takes care of all "magic quotes" automatically.