The genius of PHP is its seamless integration of form variables into your programs. It makes web programming smooth and simple, speeding the cycle from web form to PHP code to HTML output.
With that convenience, however, comes the responsibility to make sure that the user-provided information that flows so easily into your program contains appropriate content. External input can never be trusted, so it's imperative always to validate all incoming data. Recipes 9.2 through 9.9 show how to validate common kinds of information as well as providing general guidelines on arbitrary form validation you might need to do. Recipe 9.10 discusses escaping HTML entities to allow the safe display of user-entered data. Recipe 9.14 covers how to process files uploaded by a user.
HTTP is a "stateless" protocol'it has no built-in mechanism that helps you to save information from one page so you can access it in other pages. Recipes 9.11, 9.12, and 9.13 all show ways to work around the fundamental problem of figuring out which user is making which requests to your web server.
Whenever PHP processes a page, it checks for URL and form variables, uploaded files, applicable cookies, and web server and environment variables. These are then directly accessible in the following arrays: $_GET, $_POST, $_FILES, $_COOKIE, $_SERVER, and $_ENV. They hold, respectively, all variables set in the query string, in the body of a post request, by uploaded files, by cookies, by the web server, and by the environment in which the web server is running. There's also $_REQUEST, which is one giant array that contains the values from the other six arrays.
When placing elements inside of $_REQUEST, if two arrays both have a key with the same name, PHP breaks the tie by relying on the variables_order configuration directive. By default, variables_order is EGPCS (or GPCS, if you're using the php.ini-recommended configuration file). So PHP first adds environment variables to $_REQUEST and then adds query string, post, cookie, and web server variables to the array, in this order. For instance, since C comes after P in the default order, a cookie named username overwrites a posted variable named username. Note that the GPCS value from php.ini-recommended means that the $_ENV array doesn't get populated with environment variables.
While $_REQUEST can be convenient, it's usually a better idea to look in the more detailed array directly. That way, you know exactly what you're getting and don't have to be concerned that a change in variables_order affects the behavior of your program.
All of these arrays are auto-global. That means global inside of a function or class'they're always in scope.
Prior to PHP 4.1, these auto-global variables didn't exist. Instead, there were regular arrays named $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_POST_FILES, and $HTTP_SERVER_VARS. These arrays are still available for legacy reasons, but the newer arrays are easier to work with. These older arrays are populated only if the TRack_vars configuration directive is on, but as of PHP 4.0.3, this feature is always enabled.
Finally, if the register_globals configuration directive is on, all these variables are also available as variables in the global namespace. So $_GET['password'] is also just $password. While convenient, this introduces major security problems because malicious users can easily set variables from the outside and overwrite trusted internal variables. Starting with PHP 4.2, register_globals defaults to off.
Example 9-1 is a basic form. The form asks the user to enter his first name. When the form is submitted the information is sent to hello.php.
Basic HTML form
The name of the text input element inside the form is first_name. Also, the method of the form is post. This means that when the form is submitted, $_POST['first_name'] will hold whatever string the user typed in. (It could also be empty, of course, if he didn't type anything.)
Example 9-2 shows the contents of hello.php, which will display information from the form.
Basic PHP form processing
If you type Twinkle into the form in Example 9-1, Example 9-2 prints:
Example 9-2 is so basic that it omits two important steps that should be in all PHP form-processing applications: data validation (to make sure what's typed into the form is acceptable to your program), and output escaping (to make sure that malicious users can't use your web site to attack others). Recipes 9.2 through 9.9 discuss data validation and Recipe 9.10 discusses output escaping.