Accepting User Data6:48 with Alena Holligan
In this video we'll cover differences between the GET and POST methods, then filter the POSTED user data to make sure it's in the expected format.
filter_input Gets a specific external variable by name and optionally filters it.
Max url length: Microsoft Internet Explorer has a maximum uniform resource locator (URL) length of 2,083 characters. Internet Explorer also has a maximum path length of 2,048 characters.
header() is used to send a raw HTTP header, such as a redirect. Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file
We're ready to create records in our database. 0:00 We'll add some new projects to the list, and to do that, 0:03 we'll accept data from a form. 0:06 When handling values from outside your code, 0:09 it's important to filter input and escape output. 0:11 We're going to use these principles in two places 0:15 to make sure that we're not getting bad or harmful data. 0:18 We'll filter the incoming form data to make sure that it's in the format 0:22 that we expect. 0:26 Then we'll use the prepared statement when interacting with the database 0:27 to prevent SQL injection. 0:31 As a quick review, a SQL injection is when a query you never intended to run 0:33 is inappropriately introduced into your code. 0:39 If we're expecting the user to give us a project title like mynewproject but 0:42 instead we receive mynewproject: DROP TABLE projects. 0:47 We now have two queries, the one we want that adds a new project, and 0:52 the second query that I'm sure we don't want, that drops or 0:57 removes the entire project's table. 1:02 We're going to start by accepting form data and filtering those results. 1:05 There are two possible methods for form submission, GET and POST. 1:10 In general, GET is used when the form submission is merely retrieving or 1:15 getting data. 1:20 The nice thing about GET is that values become part of the web address. 1:21 You can bookmark the results and share them on social media, 1:25 allowing other people to follow the link and see the same results. 1:29 POST is used when the form submission is changing records or 1:34 taking some other action like sending email. 1:37 There are three main advantages of POST. 1:41 First, the name-value pairs are not displayed in the URL, 1:44 making it slightly more secure for the casual observer. 1:48 Second, URLs can be refreshed multiple times, 1:52 causing the action to be performed multiple times. 1:55 This could easily create duplicate records or delete more records than intended. 1:59 And third, you can submit more data such as long descriptions. 2:05 It's easier than you might think to reach the max URL length of roughly 2,000 2:10 characters. 2:13 Now that we're ready to filter our posted data, let's check our form and 2:16 start collecting user input. 2:20 Let's start in the browser and choose Add Project. 2:23 This takes us to the project.php page 2:27 where we see a simple form with two fields, a title and a category. 2:30 Now let's go back to workspaces and open project.php. 2:35 Let's take a look at the HTML for the form. 2:39 The action is set to project.php and the method is post. 2:42 Next, we see our fields named title and category. 2:48 Let's start filtering that data to use in our script. 2:52 At the top of the file, before we include the header or send any output to 2:55 the browser, but after our page variables, let's add some new code. 3:00 We start by checking that the request method is POST. 3:06 If ($_SERVER['REQUEST_METHOD'] 3:09 == 'POST') 3:18 Then we create some variables for our form data and filter the input. 3:27 We've done this before but I'll add some links in the teacher's notes for 3:33 more information. 3:36 $title = filter_input, 3:37 the type, INPUT_POST, the field, 3:42 'title' and the filter, 3:49 FILTER_SANITIZE_STRING. 3:54 We can duplicate this line for category. 4:01 I want to remove any white spaces from the beginning and end of our fields. 4:12 So let's also add the trim function. 4:16 Since both of these fields are required, 4:27 let's check that the variables are not empty before we do anything else, 4:30 If (empty($title) || 4:37 empty($category). 4:42 Then we want to send an error message. 4:51 Please fill in the required fields. 4:59 Title and category. 5:05 Else, let's just start by displaying these variables to the screen. 5:13 Make sure that you use double quotes, if you want to see the variable values. 5:25 Now we need to show that error message on our page. 5:39 Directly above the form let's open and close our PHP tags. 5:42 Then we can add a conditional. 5:52 if (isset($error_message)) 5:54 echo p class = message. 6:02 And then our error message. 6:11 And close our paragraph. 6:15 Let's go back to the browser and refresh the page. 6:18 Now let's try to submit the empty form. 6:22 Great, we see the error message telling us to fill in the required fields. 6:26 Now let's fill in a title and a category. 6:31 Now when we submit the form, we see the title and 6:37 the category displayed on the page. 6:39 Perfect. 6:42 Now we're ready to start using that data to create a new record in the database. 6:43
You need to sign up for Treehouse in order to download course files.Sign up