Receiving form Variables Module 2B Receiving form Variables

Register_Globals? Since PHP 4.2.1, the default PHP configuration requires a different mechanism to receive input for security reasons (than the one just shown) PHP configuration option to turn REGISTER_GLOBALS OFF (new default) or ON in the php.ini configuration file. If your site has REGISTER_GLOBALS OFF you must use a different mechanism to receive HTML Form Variables.

How can you tell if Register_Globals is OFF? Enter the following PHP script and run it. <?PHP phpinfo(); ?> Use m06/6-8checkPHPini.php Search through the output for REGISTER_GLOBALS and see if it is set to OFF or ON. If it is off you may use the following ways to receive input data.

Effects of register_globals register_globals boolean Tells whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. For example; if register_globals = on, the url http://www.example.com/test.php?id=3 will produce $id. Or, $DOCUMENT_ROOT from $_SERVER['DOCUMENT_ROOT']. User data may clutter your PHP globals and even become a security risk

Why REGISTER_GLOBALS OFF? Security <?php // define $authorized = true only if user is authenticated if (authenticated_user()) { $authorized = true; } /* Because we didn't first initialize $authorized as false, this might be defined through register_globals, like from GET auth.php?authorized=1 So, anyone can be seen as authenticated! */ if ($authorized) { include "/highly/sensitive/data.php"; } ?>

How do we get user variables? As of PHP 4.2.0, this directive defaults to off It's preferred to go through PHP Predefined Variables instead, such as the superglobals: $_ENV, $_GET, $_POST, $_COOKIE, and $_SERVER. Read the security chapter on Using register_globals for related information http://us3.php.net/import_request_variables http://us3.php.net/manual/en/language.variables.external.php

Getting input data with Register_Globals OFF? Method 1 To receive data with REGISTER_GLOBALS OFF you use a special variable called $_POST $name $_POST[‘name’]; Enclose in square bracket and quotes (see next slide) Name of HTML form variable (no $) PHP SuperGlobal. Technically it is an associative array PHP variable name that you want to receive the HTML form input.

Note on quotes around name Update on 11/12/2003 You may use single or double quotes around the name of html form variable. The following are both acceptable: $name = $_POST[‘name’]; $name = $_POST[“name”];

When REGISTER_GLOBALS is OFF Suppose your HTML form uses the following: Enter email address: <input type="text" size="16" maxlength="20" name="email"> Then can receive input as follows: 1. <html> 2. <head><title> Receiving Input </title> </head> 3. <body> 4. <?php $email = $_POST[‘email’]; // Note Single Quote 5. $contact = $_POST[‘contact’]; ?> 6. <h2>Thank You: Got Your Input.</h2> 7. <?php 8. print ("<br>Your email address is $email"); 9. print ("<br> Contact preference is $contact"); 10. ?>

A Full Example ... The previous code can be executed at http://localhost/m06/6-0form_global_off.htm and http://localhost/6-0form_global_off.php

Method 2: Recommended by php to handle GET/POST/Cookie variables into the global scope Use the function bool import_request_variables ( string types [, string prefix]) types parameter specifies which request variables to import 'G', 'P' and 'C' characters respectively for GET, POST and Cookie Order matters. If types ==“gp”, POST variables overwrite GET variables

Method 2: import_request_variables bool import_request_variables ( string types [, string prefix]) prefix parameter is used as a variable name prefix, prepended before all variable's name imported into the global scope So if you have a GET value named "userid", and provide a prefix "pref_", then you'll get a global variable named $pref_userid. Reference: http://us3.php.net/import_request_variables

<html> <head><title> Receiving Input </title> </head> <body> <font size=5>Thank You: Got Your Input.</font> <?php /* The following is recommended by php to handle GET/POST/Cookie variables into the global scope. Reference: http://us3.php.net/import_request_variables */ import_request_variables("gp", "form27_"); print ("<br>Your email address is $form27_email"); print ("<br> Contact preference is $form27_contact"); ?> </body> </html>

Full Example The previous code can be executed at http://localhost/m06/6-0form_2nd_global.htm and http://localhost/m06/6-0form_2nd_global.php

Third way If html form uses post Use in form.php Example: <form method = "post" action = "form.php"> Use in form.php extract( $_POST ); Example: Fig_23_12_13 of textbook

Summary PHP supports both numeric and string variables. String variables use different methods for value manipulation (for example, concatenation) than numeric variables do

Summary Use HTML forms to pass data to PHP scripts HTML form elements include text boxes, text areas, password boxes, check boxes, radio buttons, and selection lists. PHP scripts can receive form element input values by using a PHP variable name that matches the one specified in the form element’s name argument. If RESITER_GLOBALS is off in your installation you must get input data using $_POST[“var_name”];