PHP 5 if…else…elseif  Statements
❮ Previous Next ❯
Conditional statements are used to perform different actions based on different conditions.

PHP Conditional Statements
Very often when you write code, you want to perform different actions for different conditions. You can use conditional statements in your code to do this.

In PHP we have the following conditional statements:

if statement – executes some code if one condition is true
if…else statement – executes some code if a condition is true and another code if that condition is false
if…elseif….else statement – executes different codes for more than two conditions
switch statement – selects one of many blocks of code to be executed
PHP – The if Statement
The if statement executes some code if one condition is true.

Syntax
if (condition) {
    code to be executed if condition is true;
}
The example below will output “Have a good day!” if the current time (HOUR) is less than 20:

Example
<?php
$t = date(“H”);

if ($t < "20") {
    echo “Have a good day!”;
}
?>
PHP – The if…else Statement
The if….else statement executes some code if a condition is true and another code if that condition is false.

Syntax
if (condition) {
    code to be executed if condition is true;
} else {
    code to be executed if condition is false;
}
The example below will output “Have a good day!” if the current time is less than 20, and “Have a good night!” otherwise:

Example
<?php
$t = date(“H”);

if ($t < "20") {
    echo “Have a good day!”;
} else {
    echo “Have a good night!”;
}
?>
PHP – The if…elseif….else Statement
The if….elseif…else statement executes different codes for more than two conditions.

Syntax
if (condition) {
    code to be executed if this condition is true;
} elseif (condition) {
    code to be executed if this condition is true;
} else {
    code to be executed if all conditions are false;
}
The example below will output “Have a good morning!” if the current time is less than 10, and “Have a good day!” if the current time is less than 20. Otherwise it will output “Have a good night!”:

Example
<?php
$t = date(“H”);

if ($t < "10") {
    echo “Have a good morning!”;
} elseif ($t < "20") {
    echo “Have a good day!”;
} else {
    echo “Have a good night!”;
}
?>
PHP – The switch Statement
The switch statement will be explained in the next chapter.

❮ Previous Next ❯

Toggle navigation
TUTORIAL HOME
PHP 5 for  Loops
❮ Previous Next ❯
PHP for loops execute a block of code a specified number of times.

The PHP for Loop
The for loop is used when you know in advance how many times the script should run.

Syntax
for (init counter; test counter; increment counter) {
    code to be executed;
}
Parameters:

init counter: Initialize the loop counter value
test counter: Evaluated for each loop iteration. If it evaluates to TRUE, the loop continues. If it evaluates to FALSE, the loop ends.
increment counter: Increases the loop counter value
The example below displays the numbers from 0 to 10:

Example
<?php
for ($x = 0; $x <= 10; $x++) {
    echo “The number is: $x
“;
}
?>
The PHP foreach Loop
The foreach loop works only on arrays, and is used to loop through each key/value pair in an array.

Syntax
foreach ($array as $value) {
    code to be executed;
}
For every loop iteration, the value of the current array element is assigned to $value and the array pointer is moved by one, until it reaches the last array element.

The following example demonstrates a loop that will output the values of the given array ($colors):

Example
<?php
$colors = array(“red”, “green”, “blue”, “yellow”);

foreach ($colors as $value) {
    echo “$value
“;
}
?>
You will learn more about arrays in a later chapter.

❮ Previous Next ❯

PHP 5 while Loops
❮ Previous Next ❯
PHP while loops execute a block of code while the specified condition is true.

PHP Loops
Often when you write code, you want the same block of code to run over and over again in a row. Instead of adding several almost equal code-lines in a script, we can use loops to perform a task like this.

In PHP, we have the following looping statements:

while – loops through a block of code as long as the specified condition is true
do…while – loops through a block of code once, and then repeats the loop as long as the specified condition is true
for – loops through a block of code a specified number of times
foreach – loops through a block of code for each element in an array
The PHP while Loop
The while loop executes a block of code as long as the specified condition is true.

Syntax
while (condition is true) {
    code to be executed;
}
The example below first sets a variable $x to 1 ($x = 1). Then, the while loop will continue to run as long as $x is less than, or equal to 5 ($x <= 5). $x will increase by 1 each time the loop runs ($x++):

Example
<?php
$x = 1;

while($x <= 5) {
    echo “The number is: $x
“;
    $x++;
}
?>
The PHP do…while Loop
The do…while loop will always execute the block of code once, it will then check the condition, and repeat the loop while the specified condition is true.

Syntax
do {
    code to be executed;
} while (condition is true);
The example below first sets a variable $x to 1 ($x = 1). Then, the do while loop will write some output, and then increment the variable $x with 1. Then the condition is checked (is $x less than, or equal to 5?), and the loop will continue to run as long as $x is less than, or equal to 5:

Example
<?php
$x = 1;

do {
    echo “The number is: $x
“;
    $x++;
} while ($x <= 5);
?>
Notice that in a do while loop the condition is tested AFTER executing the statements within the loop. This means that the do while loop would execute its statements at least once, even if the condition is false the first time.

The example below sets the $x variable to 6, then it runs the loop, and then the condition is checked:

Example
<?php
$x = 6;

do {
    echo “The number is: $x
“;
    $x++;
} while ($x <= 5);
?>
The for loop and the foreach loop will be explained in the next chapter.

❮ Previous Next ❯

Toggle navigation
TUTORIAL HOME
PHP 5 Functions
❮ Previous Next ❯
The real power of PHP comes from its functions; it has more than 1000 built-in functions.

PHP User Defined Functions
Besides the built-in PHP functions, we can create our own functions.

A function is a block of statements that can be used repeatedly in a program.

A function will not execute immediately when a page loads.

A function will be executed by a call to the function.

Create a User Defined Function in PHP
A user defined function declaration starts with the word “function”:

Syntax
function functionName() {
    code to be executed;
}
Note: A function name can start with a letter or underscore (not a number).

Tip: Give the function a name that reflects what the function does!

Function names are NOT case-sensitive.

In the example below, we create a function named “writeMsg()”. The opening curly brace ( { ) indicates the beginning of the function code and the closing curly brace ( } ) indicates the end of the function. The function outputs “Hello world!”. To call the function, just write its name:

Example
<?php
function writeMsg() {
    echo “Hello world!”;
}

writeMsg(); // call the function
?>
PHP Function Arguments
Information can be passed to functions through arguments. An argument is just like a variable.

Arguments are specified after the function name, inside the parentheses. You can add as many arguments as you want, just separate them with a comma.

The following example has a function with one argument ($fname). When the familyName() function is called, we also pass along a name (e.g. Jani), and the name is used inside the function, which outputs several different first names, but an equal last name:

Example
<?php
function familyName($fname) {
    echo “$fname Refsnes.
“;
}

familyName(“Jani”);
familyName(“Hege”);
familyName(“Stale”);
familyName(“Kai Jim”);
familyName(“Borge”);
?>
The following example has a function with two arguments ($fname and $year):

Example
<?php
function familyName($fname, $year) {
    echo “$fname Refsnes. Born in $year
“;
}

familyName(“Hege”, “1975”);
familyName(“Stale”, “1978”);
familyName(“Kai Jim”, “1983”);
?>
PHP Default Argument Value
The following example shows how to use a default parameter. If we call the function setHeight() without arguments it takes the default value as argument:

Example
<?php
function setHeight($minheight = 50) {
    echo “The height is : $minheight
“;
}

setHeight(350);
setHeight(); // will use the default value of 50
setHeight(135);
setHeight(80);
?>
PHP Functions – Returning values
To let a function return a value, use the return statement:

Example
<?php
function sum($x, $y) {
    $z = $x + $y;
    return $z;
}

echo “5 + 10 = ” . sum(5, 10) . “
“;
echo “7 + 13 = ” . sum(7, 13) . “
“;
echo “2 + 4 = ” . sum(2, 4);
?>

❮ Previous Next ❯

Toggle navigation
TUTORIAL HOME
PHP 5 Sorting Arrays
❮ Previous Next ❯
The elements in an array can be sorted in alphabetical or numerical order, descending or ascending.

PHP – Sort Functions For Arrays
In this chapter, we will go through the following PHP array sort functions:

sort() – sort arrays in ascending order
rsort() – sort arrays in descending order
asort() – sort associative arrays in ascending order, according to the value
ksort() – sort associative arrays in ascending order, according to the key
arsort() – sort associative arrays in descending order, according to the value
krsort() – sort associative arrays in descending order, according to the key
Sort Array in Ascending Order – sort()
The following example sorts the elements of the $cars array in ascending alphabetical order:

Example
<?php
$cars = array(“Volvo”, “BMW”, “Toyota”);
sort($cars);
?>
The following example sorts the elements of the $numbers array in ascending numerical order:

Example
<?php
$numbers = array(4, 6, 2, 22, 11);
sort($numbers);
?>
Sort Array in Descending Order – rsort()
The following example sorts the elements of the $cars array in descending alphabetical order:

Example
<?php
$cars = array(“Volvo”, “BMW”, “Toyota”);
rsort($cars);
?>
The following example sorts the elements of the $numbers array in descending numerical order:

Example
<?php
$numbers = array(4, 6, 2, 22, 11);
rsort($numbers);
?>
Sort Array (Ascending Order), According to Value – asort()
The following example sorts an associative array in ascending order, according to the value:

Example
<?php
$age = array(“Peter”=>”35”, “Ben”=>”37”, “Joe”=>”43”);
asort($age);
?>
Sort Array (Ascending Order), According to Key – ksort()
The following example sorts an associative array in ascending order, according to the key:

Example
<?php
$age = array(“Peter”=>”35”, “Ben”=>”37”, “Joe”=>”43”);
ksort($age);
?>
Sort Array (Descending Order), According to Value – arsort()
The following example sorts an associative array in descending order, according to the value:

Example
<?php
$age = array(“Peter”=>”35”, “Ben”=>”37”, “Joe”=>”43”);
arsort($age);
?>
Sort Array (Descending Order), According to Key – krsort()
The following example sorts an associative array in descending order, according to the key:

Example
<?php
$age = array(“Peter”=>”35”, “Ben”=>”37”, “Joe”=>”43”);
krsort($age);
?>
Complete PHP Array Reference
For a complete reference of all array functions, go to our complete PHP Array Reference.

The reference contains a brief description, and examples of use, for each function!

❮ Previous Next ❯

Toggle navigation
TUTORIAL HOME
PHP 5 Arrays
❮ Previous Next ❯
An array stores multiple values in one single variable:

Example
<?php
$cars = array(“Volvo”, “BMW”, “Toyota”);
echo “I like ” . $cars[0] . “, ” . $cars[1] . ” and ” . $cars[2] . “.”;
?>
What is an Array?
An array is a special variable, which can hold more than one value at a time.

If you have a list of items (a list of car names, for example), storing the cars in single variables could look like this:

$cars1 = “Volvo”;
$cars2 = “BMW”;
$cars3 = “Toyota”;
However, what if you want to loop through the cars and find a specific one? And what if you had not 3 cars, but 300?

The solution is to create an array!

An array can hold many values under a single name, and you can access the values by referring to an index number.

Create an Array in PHP
In PHP, the array() function is used to create an array:

array();
In PHP, there are three types of arrays:

Indexed arrays – Arrays with a numeric index
Associative arrays – Arrays with named keys
Multidimensional arrays – Arrays containing one or more arrays
PHP Indexed Arrays
There are two ways to create indexed arrays:

The index can be assigned automatically (index always starts at 0), like this:

$cars = array(“Volvo”, “BMW”, “Toyota”);
or the index can be assigned manually:

$cars[0] = “Volvo”;
$cars[1] = “BMW”;
$cars[2] = “Toyota”;
The following example creates an indexed array named $cars, assigns three elements to it, and then prints a text containing the array values:

Example
<?php
$cars = array(“Volvo”, “BMW”, “Toyota”);
echo “I like ” . $cars[0] . “, ” . $cars[1] . ” and ” . $cars[2] . “.”;
?>
Get The Length of an Array – The count() Function
The count() function is used to return the length (the number of elements) of an array:

Example
<?php
$cars = array(“Volvo”, “BMW”, “Toyota”);
echo count($cars);
?>
Loop Through an Indexed Array
To loop through and print all the values of an indexed array, you could use a for loop, like this:

Example
<?php
$cars = array(“Volvo”, “BMW”, “Toyota”);
$arrlength = count($cars);

for($x = 0; $x < $arrlength; $x++) {
    echo $cars[$x];
    echo “
“;
}
?>
PHP Associative Arrays
Associative arrays are arrays that use named keys that you assign to them.

There are two ways to create an associative array:

$age = array(“Peter”=>”35”, “Ben”=>”37”, “Joe”=>”43”);
or:

$age[‘Peter’] = “35”;
$age[‘Ben’] = “37”;
$age[‘Joe’] = “43”;
The named keys can then be used in a script:

Example
<?php
$age = array(“Peter”=>”35”, “Ben”=>”37”, “Joe”=>”43”);
echo “Peter is ” . $age[‘Peter’] . ” years old.”;
?>
Loop Through an Associative Array
To loop through and print all the values of an associative array, you could use a foreach loop, like this:

Example
<?php
$age = array(“Peter”=>”35”, “Ben”=>”37”, “Joe”=>”43”);

foreach($age as $x => $x_value) {
    echo “Key=” . $x . “, Value=” . $x_value;
    echo “
“;
}
?>
Multidimensional Arrays
Multidimensional arrays will be explained in the PHP advanced section.

Complete PHP Array Reference
For a complete reference of all array functions, go to our complete PHP Array Reference.

The reference contains a brief description, and examples of use, for each function!

❮ Previous Next ❯

PHP 5 Global Variables – Superglobals
❮ Previous Next ❯
Superglobals were introduced in PHP 4.1.0, and are built-in variables that are always available in all scopes.

PHP Global Variables – Superglobals
Several predefined variables in PHP are “superglobals”, which means that they are always accessible, regardless of scope – and you can access them from any function, class or file without having to do anything special.

The PHP superglobal variables are:

$GLOBALS
$_SERVER
$_REQUEST
$_POST
$_GET
$_FILES
$_ENV
$_COOKIE
$_SESSION
This chapter will explain some of the superglobals, and the rest will be explained in later chapters.

PHP $GLOBALS
$GLOBALS is a PHP super global variable which is used to access global variables from anywhere in the PHP script (also from within functions or methods).

PHP stores all global variables in an array called $GLOBALS[index]. The index holds the name of the variable.

The example below shows how to use the super global variable $GLOBALS:

Example
<?php
$x = 75;
$y = 25;

function addition() {
    $GLOBALS[‘z’] = $GLOBALS[‘x’] + $GLOBALS[‘y’];
}

addition();
echo $z;
?>
In the example above, since z is a variable present within the $GLOBALS array, it is also accessible from outside the function!

PHP $_SERVER
$_SERVER is a PHP super global variable which holds information about headers, paths, and script locations.

The example below shows how to use some of the elements in $_SERVER:

Example
<?php
echo $_SERVER[‘PHP_SELF’];
echo “
“;
echo $_SERVER[‘SERVER_NAME’];
echo “
“;
echo $_SERVER[‘HTTP_HOST’];
echo “
“;
echo $_SERVER[‘HTTP_REFERER’];
echo “
“;
echo $_SERVER[‘HTTP_USER_AGENT’];
echo “
“;
echo $_SERVER[‘SCRIPT_NAME’];
?>
The following table lists the most important elements that can go inside $_SERVER:

Element/Code Description
$_SERVER[‘PHP_SELF’] Returns the filename of the currently executing script
$_SERVER[‘GATEWAY_INTERFACE’] Returns the version of the Common Gateway Interface (CGI) the server is using
$_SERVER[‘SERVER_ADDR’] Returns the IP address of the host server
$_SERVER[‘SERVER_NAME’] Returns the name of the host server (such as www.Omega.com)
$_SERVER[‘SERVER_SOFTWARE’] Returns the server identification string (such as Apache/2.2.24)
$_SERVER[‘SERVER_PROTOCOL’] Returns the name and revision of the information protocol (such as HTTP/1.1)
$_SERVER[‘REQUEST_METHOD’] Returns the request method used to access the page (such as POST)
$_SERVER[‘REQUEST_TIME’] Returns the timestamp of the start of the request (such as 1377687496)
$_SERVER[‘QUERY_STRING’] Returns the query string if the page is accessed via a query string
$_SERVER[‘HTTP_ACCEPT’] Returns the Accept header from the current request
$_SERVER[‘HTTP_ACCEPT_CHARSET’] Returns the Accept_Charset header from the current request (such as utf-8,ISO-8859-1)
$_SERVER[‘HTTP_HOST’] Returns the Host header from the current request
$_SERVER[‘HTTP_REFERER’] Returns the complete URL of the current page (not reliable because not all user-agents support it)
$_SERVER[‘HTTPS’] Is the script queried through a secure HTTP protocol
$_SERVER[‘REMOTE_ADDR’] Returns the IP address from where the user is viewing the current page
$_SERVER[‘REMOTE_HOST’] Returns the Host name from where the user is viewing the current page
$_SERVER[‘REMOTE_PORT’] Returns the port being used on the user’s machine to communicate with the web server
$_SERVER[‘SCRIPT_FILENAME’] Returns the absolute pathname of the currently executing script
$_SERVER[‘SERVER_ADMIN’] Returns the value given to the SERVER_ADMIN directive in the web server configuration file (if your script runs on a virtual host, it will be the value defined for that virtual host) (such as someone@Omega.com)
$_SERVER[‘SERVER_PORT’] Returns the port on the server machine being used by the web server for communication (such as 80)
$_SERVER[‘SERVER_SIGNATURE’] Returns the server version and virtual host name which are added to server-generated pages
$_SERVER[‘PATH_TRANSLATED’] Returns the file system based path to the current script
$_SERVER[‘SCRIPT_NAME’] Returns the path of the current script
$_SERVER[‘SCRIPT_URI’] Returns the URI of the current page
PHP $_REQUEST
PHP $_REQUEST is used to collect data after submitting an HTML form.

The example below shows a form with an input field and a submit button. When a user submits the data by clicking on “Submit”, the form data is sent to the file specified in the action attribute of the tag. In this example, we point to this file itself for processing form data. If you wish to use another PHP file to process form data, replace that with the filename of your choice. Then, we can use the super global variable $_REQUEST to collect the value of the input field:

Example

<form method="post" action="”>
  Name:
 

<?php
if ($_SERVER[“REQUEST_METHOD”] == “POST”) {
    // collect value of input field
    $name = $_REQUEST[‘fname’];
    if (empty($name)) {
        echo “Name is empty”;
    } else {
        echo $name;
    }
}
?>

PHP $_POST
PHP $_POST is widely used to collect form data after submitting an HTML form with method=”post”. $_POST is also widely used to pass variables.

The example below shows a form with an input field and a submit button. When a user submits the data by clicking on “Submit”, the form data is sent to the file specified in the action attribute of the tag. In this example, we point to the file itself for processing form data. If you wish to use another PHP file to process form data, replace that with the filename of your choice. Then, we can use the super global variable $_POST to collect the value of the input field:

Example

<form method="post" action="”>
  Name:
 

<?php
if ($_SERVER[“REQUEST_METHOD”] == “POST”) {
    // collect value of input field
    $name = $_POST[‘fname’];
    if (empty($name)) {
        echo “Name is empty”;
    } else {
        echo $name;
    }
}
?>

PHP $_GET
PHP $_GET can also be used to collect form data after submitting an HTML form with method=”get”.

$_GET can also collect data sent in the URL.

Assume we have an HTML page that contains a hyperlink with parameters:

<a href="test_get.php?subject=PHP&web=Omega.com”>Test $GET

When a user clicks on the link “Test $GET”, the parameters “subject” and “web” are sent to “test_get.php”, and you can then access their values in “test_get.php” with $_GET.

The example below shows the code in “test_get.php”:

Example

<?php
echo “Study ” . $_GET[‘subject’] . ” at ” . $_GET[‘web’];
?>

Tip: You will learn more about $_POST and $_GET in the PHP Forms chapter.

❮ Previous Next ❯

Toggle navigation
TUTORIAL HOME
PHP 5 Form Handling
❮ Previous Next ❯
The PHP superglobals $_GET and $_POST are used to collect form-data.

PHP – A Simple HTML Form
The example below displays a simple HTML form with two input fields and a submit button:

Example

Name:

E-mail:

When the user fills out the form above and clicks the submit button, the form data is sent for processing to a PHP file named “welcome.php”. The form data is sent with the HTTP POST method.

To display the submitted data you could simply echo all the variables. The “welcome.php” looks like this:

Welcome

Your email address is:

The output could be something like this:

Welcome John
Your email address is john.doe@example.com
The same result could also be achieved using the HTTP GET method:

Example

Name:

E-mail:

and “welcome_get.php” looks like this:

Welcome

Your email address is:

The code above is quite simple. However, the most important thing is missing. You need to validate form data to protect your script from malicious code.

Think SECURITY when processing PHP forms!

This page does not contain any form validation, it just shows how you can send and retrieve form data.

However, the next pages will show how to process PHP forms with security in mind! Proper validation of form data is important to protect your form from hackers and spammers!

GET vs. POST
Both GET and POST create an array (e.g. array( key => value, key2 => value2, key3 => value3, …)). This array holds key/value pairs, where keys are the names of the form controls and values are the input data from the user.

Both GET and POST are treated as $_GET and $_POST. These are superglobals, which means that they are always accessible, regardless of scope – and you can access them from any function, class or file without having to do anything special.

$_GET is an array of variables passed to the current script via the URL parameters.

$_POST is an array of variables passed to the current script via the HTTP POST method.

When to use GET?
Information sent from a form with the GET method is visible to everyone (all variable names and values are displayed in the URL). GET also has limits on the amount of information to send. The limitation is about 2000 characters. However, because the variables are displayed in the URL, it is possible to bookmark the page. This can be useful in some cases.

GET may be used for sending non-sensitive data.

Note: GET should NEVER be used for sending passwords or other sensitive information!

When to use POST?
Information sent from a form with the POST method is invisible to others (all names/values are embedded within the body of the HTTP request) and has no limits on the amount of information to send.

Moreover POST supports advanced functionality such as support for multi-part binary input while uploading files to server.

However, because the variables are not displayed in the URL, it is not possible to bookmark the page.

Developers prefer POST for sending form data.

Next, lets see how we can process PHP forms the secure way!

❮ Previous Next ❯

Toggle navigation
TUTORIAL HOME
PHP 5 Form Validation
❮ Previous Next ❯
This and the next chapters show how to use PHP to validate form data.

PHP Form Validation
Think SECURITY when processing PHP forms!

These pages will show how to process PHP forms with security in mind. Proper validation of form data is important to protect your form from hackers and spammers!

The HTML form we will be working at in these chapters, contains various input fields: required and optional text fields, radio buttons, and a submit button:

The validation rules for the form above are as follows:

Field Validation Rules
Name Required. + Must only contain letters and whitespace
E-mail Required. + Must contain a valid email address (with @ and .)
Website Optional. If present, it must contain a valid URL
Comment Optional. Multi-line input field (textarea)
Gender Required. Must select one
First we will look at the plain HTML code for the form:

Text Fields
The name, email, and website fields are text input elements, and the comment field is a textarea. The HTML code looks like this:

Name:
E-mail:
Website:
Comment:
Radio Buttons
The gender fields are radio buttons and the HTML code looks like this:

Gender:
Female
Male
The Form Element
The HTML code of the form looks like this:

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF”]);?>”>
When the form is submitted, the form data is sent with method=”post”.

What is the $_SERVER[“PHP_SELF”] variable?

The $_SERVER[“PHP_SELF”] is a super global variable that returns the filename of the currently executing script.

So, the $_SERVER[“PHP_SELF”] sends the submitted form data to the page itself, instead of jumping to a different page. This way, the user will get error messages on the same page as the form.

What is the htmlspecialchars() function?

The htmlspecialchars() function converts special characters to HTML entities. This means that it will replace HTML characters like with < and >. This prevents attackers from exploiting the code by injecting HTML or Javascript code (Cross-site Scripting attacks) in forms.

Big Note on PHP Form Security
The $_SERVER[“PHP_SELF”] variable can be used by hackers!

If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute.

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.

Assume we have the following form in a page named “test_form.php”:

<form method="post" action="”>
Now, if a user enters the normal URL in the address bar like “http://www.example.com/test_form.php“, the above code will be translated to:

So far, so good.

However, consider that a user enters the following URL in the address bar:

http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert(‘hacked’)%3C/script%3E
In this case, the above code will be translated to:

alert(‘hacked’)
This code adds a script tag and an alert command. And when the page loads, the JavaScript code will be executed (the user will see an alert box). This is just a simple and harmless example how the PHP_SELF variable can be exploited.

Be aware of that any JavaScript code can be added inside the tag! A hacker can redirect the user to a file on another server, and that file can hold malicious code that can alter the global variables or submit the form to another address to save the user data, for example.

How To Avoid $_SERVER[“PHP_SELF”] Exploits?
$_SERVER[“PHP_SELF”] exploits can be avoided by using the htmlspecialchars() function.

The form code should look like this:

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF”]);?>”>
The htmlspecialchars() function converts special characters to HTML entities. Now if the user tries to exploit the PHP_SELF variable, it will result in the following output:

<form method="post" action="test_form.php/"&gt;alert(‘hacked’)”>
The exploit attempt fails, and no harm is done!

Validate Form Data With PHP
The first thing we will do is to pass all variables through PHP’s htmlspecialchars() function.

When we use the htmlspecialchars() function; then if a user tries to submit the following in a text field:

location.href(‘http://www.hacked.com‘)

– this would not be executed, because it would be saved as HTML escaped code, like this:

location.href(‘http://www.hacked.com‘)

The code is now safe to be displayed on a page or inside an e-mail.

We will also do two more things when the user submits the form:

Strip unnecessary characters (extra space, tab, newline) from the user input data (with the PHP trim() function)
Remove backslashes (\) from the user input data (with the PHP stripslashes() function)
The next step is to create a function that will do all the checking for us (which is much more convenient than writing the same code over and over again).

We will name the function test_input().

Now, we can check each $_POST variable with the test_input() function, and the script looks like this:

Example
<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = “”;

if ($_SERVER[“REQUEST_METHOD”] == “POST”) {
  $name = test_input($_POST[“name”]);
  $email = test_input($_POST[“email”]);
  $website = test_input($_POST[“website”]);
  $comment = test_input($_POST[“comment”]);
  $gender = test_input($_POST[“gender”]);
}

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}
?>
Notice that at the start of the script, we check whether the form has been submitted using $_SERVER[“REQUEST_METHOD”]. If the REQUEST_METHOD is POST, then the form has been submitted – and it should be validated. If it has not been submitted, skip the validation and display a blank form.

However, in the example above, all input fields are optional. The script works fine even if the user does not enter any data.

The next step is to make input fields required and create error messages if needed.

❮ Previous Next ❯