A quick and simple PHP form processing script

advertisement
A quick and simple PHP form processing script
Tutorial files:


Sample form
Sample PHP script
The form
There are a few basic points to note in the form's HTML. First, the opening <form> tag's
method attribute should be set to "post" and the action attribute should point to the
processing script's location. In the following example, the script is in the same directory as
the page containing the form.
<form method="post" action="form.php">
The script
Looking at the PHP, you can see that the basic syntax of PHP mostly consists of commands
followed by semicolons. There are also a few curly braces and parentheses, and these will
be discussed later.
Now let's begin by looking at the following piece of PHP.
//import form information
$name = $_POST['name'];
$email = $_POST['email'];
$message = $_POST['message'];
$types=$_POST['types'];
$message=stripslashes($message);
The first line, //import form information, is a comment that exists only to document the
script. It is very similar to using <!-- --> in HTML. The difference here is that // only
comments out one line of code. To comment out multiple lines of PHP, use /* and */.
Here the script is grabbing the input of the form and creating variables and populating
them with the information submitted in the form. Taking $email = $_POST['email']; as an
example, variable "$email" is created and populated with the text from the incoming form's
"email" field, which PHP places in the $_POST['email'] variable. When using $_POST
variables, make sure that the incoming form used method="post" in its opening form tag. If
your form uses method="get", then modify the script by using $_GET['email'].
You could simply access the incoming form's content by directly accessing the $_POST
variables. However, assigning the form information to standard variables, as in the example
above, allows for the use of a more simple syntax throughout the rest of the script, and it
also allows us to manipulate the contained information with greater flexibility.
One final bit of PHP here,$message=stripslashes($message);, cleans up the message text.
Without this line, the message text could contain slashes in front of certain characters.
/*
Simple form validation
check to see if an email and message were entered
*/
//if no message entered and no email entered print an error
if (empty($message) && empty($email)){
print "No email address and no message was entered. <br>Please include an
email and a message";
}
//if no message entered send print an error
elseif (empty($message)){
print "No message was entered.<br>Please include a message.<br>";
}
//if no email entered send print an error
elseif (empty($email)){
print "No email address was entered.<br>Please include your email. <br>";
}
//if the form has both an email and a message
else {
This section of PHP does some simple validation of form input by checking to see if there was
anything was put into the form's email and message fields. This section contains three
subsections to test whether or not either or both of the required form fields, email and
message, were filled out. The first section checks to see if both the message and email were
empty. If so, the script outputs an error message, informing the users that they didn't include
both of the required fields. The syntax of an if statement in PHP is fairly simple. After "if" the
condition to be tested for is enclosed in parentheses. In this first instance this condition is
empty($message) && empty($email). Using the empty function, the script first checks to see
if there was a message entered. The && characters is an "and" operator that connects the
first condition with the second, empty($email), which checks to see if an email was
entered. Translated into English, this statement essential says that "If there is no email and
there is no message perform the following action." The action to be performed is contained
within curly braces. In this case an error message is printed.
Similarly, the following two elseif statements check to see if only the message or email
fields were left empty, printing an error message if either is the case. We don't have to worry
about duplicate error messages (in the case that both the email and message fields were
left blank, for example), since, if any of the conditions of a chain of if or elseif statements are
found to be true, the remaining statements are ignored.
Finally, if none of the tests contained within any of the preceding if or elseif statements were
found to be true, then the PHP contained within the else statement is executed. In this
sample script it is:
//Thank the user by name if they entered a name
if (!empty($name)) {
print "<b>Thank you $name.</b><br>";
}
for ($i=0;$i<count($types);$i++){
$ctypes= $ctypes . "\n$types[$i]";
$screen_ctypes= $screen_ctypes . "\n$types[$i]";
}
print "<p><b>The following message has been sent</b>:
<br>$message<br></p><p><b>Comment type(s):</b><br>$screen_ctypes</p>";
$body= $message . ' Comment type(s)' . $ctypes;
//mail the form contents
mail( "your-email@indiana.edu", "Web site comments", $body, "From: $email" );
The first line is another comment. The next few lines print out a simple "thank you" message.
The first three of these lines are fairly straightforward. The script checks to see if the $name
variable is not empty. If it isn't empty, then the script prints a line thanking the user by name.
Also, since the form could contain multiple comment types, we need to check to see if
multiple comment types were entered and print each of them. Without going into details,
this is essentially what lines 5-8 accomplish. Next, the script outputs a message to the screen
containing the text that was input.
The next line, $body= $message . ' Comment type(s)' . $ctypes;, concatenates
(pastes together) the contents of the $message variable (which is the text from the form's
textarea), the text " Comment type(s)", and the contents of the $ctypes variable (which is a
list of the comment types). The combined string of text resulting from this concatenation is
then stored in the $body variable.
The final line sends the form contents to a specified email address. The four strings
contained within the parentheses specify, in order, the recipient of the email, the subject
line of the sent email, the body of the email, and the address of the sender.
You may have noticed the following bit of code near the beginning of the script:
$page = "http://ella.slis.indiana.edu/~PATH/TO/FORM";
if (!ereg($page, $_SERVER['HTTP_REFERER'])){
echo "Invalid referer";
die;
}
This section provides some very basic security by ensuring that only forms from a certain
page can send mail using this script. Without these few lines, anyone who knew the URL of
your form script could use the script to send mail. To make this script work for your form,
simply set the value of the $page variable to the URL of your form (i.e. something like $page
= "http://ella.slis.indiana.edu/~arsteven/L571/form.html";.
While the PHP outlined above does provide some security, it is only of a rudimentary level.
For heavily trafficked sites, it is a good idea to use one of many free form processing scripts
that provide stronger security. A couple examples of such scripts are:


PHPFormmail
NMS FormMail
Download