Handling HTML Forms

Given that PHP's primary role is handling web pages, you might wonder why this section has been left so late in the chapter. It is because handling HTML forms is so central to PHP that it is essentially automatic.

Consider this form:

<form method="POST" action="thispage.php"> User ID: <input type="text" name="UserID" /><br /> Password: <input type="password" name="Password" /><br /> <input type="submit" /> </form> 

When a visitor clicks Submit, thispage.php is called again and this time PHP has the variables available to it inside the $_REQUEST array. Given that script, if the user enters 12345 and frosties as her user ID and password, PHP provides you with $_REQUEST['UserID'] set to 12345 and $_REQUEST['Password'] set to frosties. Note that it is important that you use HTTP post unless you specifically want GET. POST enables you to send a great deal more data and stops people from tampering with your URL to try to find holes in your script.

Is that it? Well, almost. That tells you how to retrieve user data, but you should be sure to sanitize it so users do not try to sneak HTML or JavaScript into your database as something you think is innocuous. PHP gives you the strip_tags() function for this purpose. It takes a string and returns the same string with all HTML tags removed.