Learn › PHP › Working with Forms & HTTP

Working with Forms & HTTP

⏱ 20 min read read

PHP Superglobals:

PHP provides built-in arrays called superglobals that are available
everywhere.

$\_GET --- URL query string parameters: ?name=Alice&age=25

$\_POST --- Form data sent via POST method

$\_REQUEST --- Combined GET + POST + COOKIE

$\_SERVER --- Server info: REQUEST_METHOD, HTTP_HOST, REMOTE_ADDR

$\_SESSION --- Session data (persists across pages)

$\_COOKIE --- Browser cookies

$\_FILES --- Uploaded file info

$\_ENV --- Environment variables

Handling Form Data:

// From URL: ?name=Alice&score=95

$name = $\_GET['name'] ?? '';

$score = $\_GET['score'] ?? 0;

// From POST form

if ($\_SERVER['REQUEST_METHOD'] === 'POST') {

$name = $\_POST['name'] ?? '';

$email = $\_POST['email'] ?? '';

}

NEVER trust user input! Always validate AND sanitize.

VALIDATION: Is the data in the expected format/range?

SANITIZATION: Remove or escape dangerous characters.

Use htmlspecialchars() before displaying ANY user input.

Use filter_var() for validation (email, URL, int, etc.).

Never put raw $\_GET/$\_POST directly in SQL queries --- use
prepared statements!

Validation & Sanitization:

// Validate email

filter_var($email, FILTER_VALIDATE_EMAIL) // email or false

// Validate integer

filter_var($score, FILTER_VALIDATE_INT, ['options' =>
['min_range'=>0,'max_range'=>100]])

// Sanitize --- strip dangerous characters

filter_var($name, FILTER_SANITIZE_SPECIAL_CHARS)

// Escape for HTML output (ALWAYS do this)

htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8')

Sessions:

session_start(); // must be FIRST thing on page

$\_SESSION['user'] = 'Alice'; // store

$name = $\_SESSION['user']; // retrieve

session_destroy(); // logout --- clears all session data

Code Example

<?php

// A complete, safe form handler

// Helper: safe HTML output

function h(string $s): string {

return htmlspecialchars($s, ENT_QUOTES, 'UTF-8');

}

$errors = [];

$success = false;

if ($\_SERVER['REQUEST_METHOD'] === 'POST') {

// Get and sanitize inputs

$name = trim($\_POST['name'] ?? '');

$email = trim($\_POST['email'] ?? '');

$age = trim($\_POST['age'] ?? '');

// Validate name

if (empty($name)) {

$errors[] = 'Name is required.';

} elseif (strlen($name) < 2 || strlen($name) > 50) {

$errors[] = 'Name must be 2--50 characters.';

}

// Validate email

if (empty($email)) {

$errors[] = 'Email is required.';

} elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {

$errors[] = 'Invalid email format.';

}

// Validate age

$ageInt = filter_var($age, FILTER_VALIDATE_INT, [

'options' => ['min_range' => 0, 'max_range' => 120]

]);

if ($ageInt === false) {

$errors[] = 'Age must be a number between 0 and 120.';

}

if (empty($errors)) {

$success = true;

echo "<p>Welcome, " . h($name) . "!</p>\n";

echo "<p>Email: " . h($email) . "</p>\n";

echo "<p>Age: $ageInt</p>\n";

}

}

// Output errors safely

if (!empty($errors)) {

foreach ($errors as $err) {

echo "<p style='color:red'>" . h($err) . "</p>\n";

}

}

// Session example

session_start();

$\_SESSION['last_visit'] = date('Y-m-d H:i:s');

echo "Last visit: " . ($\_SESSION['last_visit'] ?? 'First
time') . "\n";

?>

← File Input & Output Databases & PDO →