How to set up form submission method in PHP

PHP is a popular scripting language widely used in web development. When we need to collect user input information on a Web page, using a form is a good choice. When using a form to submit data in PHP, you need to make some settings to ensure that the data can be received and processed correctly.

This article will focus on how to set up form submission methods, obtain form data and prevent form attacks in PHP.

1. Set the form submission method

In HTML, there are two common ways to submit a form: get and post. The get method appends the form data to the URL, while the post method encapsulates the data and sends it in the message body of the HTTP request. In PHP, we can access form data through the $_GET and $_POST superglobal variables, so we need to make corresponding settings according to the different form submission methods.

Here is a simple form example to collect a user's username and password:

<form action="login.php" method="post">
    <label for="username">用户名：</label>
    <input type="text" id="username" name="username"><br>
    <label for="password">密码：</label>
    <input type="password" id="password" name="password"><br>
    <input type="submit" value="登录">
</form>

In this form, we use the post method to submit data to the login.php page. In login.php, the username and password entered in the form can be accessed via $_POST['username'] and $_POST['password'].

It should be noted that when submitting a form, you must pay attention to security. Using the post method can encapsulate the data in the HTTP request message body, which is more secure than the get method. Therefore, when dealing with forms containing sensitive information, you should give priority to using the post method.

2. Get form data

Getting form data in PHP is very simple, just use the corresponding super global variable. If the form submission method is get, use the $_GET super global variable. If the form submission method is post, use the $_POST super global variable.

Here is a simple example showing how to get form data in PHP:

$username = $_POST['username'];
$password = $_POST['password'];
echo "您输入的用户名是：".$username."<br>";
echo "您输入的密码是：".$password."<br>";

It should be noted that when we use $_POST or $_GET to get form data, we should always use isset() function to determine whether the variable exists to avoid undefined variable errors.

In addition, when using unsafe external data (such as obtaining data from URL parameters), security checks and filtering are required to avoid attacks such as SQL injection.

3. Prevent form attacks

Form attacks refer to the behavior of attackers using form submission to obtain or tamper with website data. Common types of form attacks include cross-site request forgery (CSRF) and SQL injection. In order to prevent form attacks, we need to take appropriate security measures.

3.1 Preventing CSRF attacks

The principle of CSRF attacks is that the attacker uses the victim's login information on other websites to forge a POST request to the target website, thereby achieving various attacks. In order to prevent CSRF attacks, we can take the following measures:

(1) Use Token verification: generate a unique Token when the form is submitted, and store the Token in the Session variable. When the form is submitted, verify that the token matches, and if not, reject the request.

(2) Verify source URL: When the form is submitted, verify whether the source URL is the same as the target site. If different, reject the request.

3.2 Preventing SQL Injection

SQL injection means that the attacker enters malicious SQL code into the form to achieve illegal access to the database. To prevent SQL injection, we should filter and escape user-entered data.

The following is a simple example showing how to use the mysqli_real_escape_string() function to escape user-entered data:

$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);

In this example, $conn represents the database connection object, mysqli_real_escape_string( ) function is used to escape the input string. This prevents malicious code entered by users from affecting the database.

Conclusion

Using forms to collect user input is a common method in web development, but you need to pay attention to security and protective measures. It is relatively simple to obtain form data or set the submission method in PHP, but you need to pay attention to undefined variables and security filtering. Preventing form attacks requires specific security measures, such as Token verification and SQL filtering. Only by fully considering security and actual needs can form submission be made more reliable and secure.

The above is the detailed content of How to set up form submission method in PHP. For more information, please follow other related articles on the PHP Chinese website!