Form Handling with PHP

Lesson 4 - Generic Scripts

Index   Lesson << Prev 1 2 3 4 5 6 7 Next >>

How do you create a script that will handle different forms, without knowing anything about the form? It's not as hard as you might think. You can write a small script that will send the values submitted by the user like this:

<?php
   if ($_SERVER['REQUEST_METHOD']=="POST"){
      // In testing, if you get an Bad referer error
      // comment out or remove the next three lines
      if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 ||
         !strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']))
         die("Bad referer");
      $msg="Values submitted by the user:\n";
      foreach($_POST as $key => $val){
         if (is_array($val)){
            $msg.="Item: $key\n";
            foreach($val as $v){
               $v = stripslashes($v);
               $msg.="   $v\n";
            }
         } else {
            $val = stripslashes($val);
            $msg.="$key: $val\n";
         }
      }
      $recipient="user@example.com";
      $subject="Form submission";
      error_reporting(0);
      if (mail($recipient, $subject, $msg)){
         echo "<h1>Thank you</h1><p>Message successfully sent:</p>\n";
         echo nl2br($input);
      } else
         echo "An error occurred and the message could not be sent.";
   } else
      echo "Bad request method";
?>

There are two significant differences from what we've done up until now. The first is that this script will be in a file by itself and not in the same file as the form. So, let's say we saved this process.php. you would then set the ACTION attribute of any forms that were to use it to point to process.php. For example:

   <form action="process.php" method="post">
	

The second difference is that, if your form pages no longer contain any other PHP code, they do not need to be named with the .php file name extension.

Alright, what does this simple little script do? Well first, other than verifying that the form was actually submitted from our own host, there is no validation. What ever the user chose is sent. In some instances, that might be alright. We begin in familiar territory checking to see if the request method was POST. After that, the next lines that follow are:

      if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 ||
         !strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']))
         die("Bad referer");

What this does is checks to see if the page that called this script was sent from the same host. It does this by testing for the HTTP_REFERER header to see if our host name is in the string and that it does not start more than seven characters into the referer. The seven characters allow for the prefix "http://". That prevents someone from creating a directory on their own site with the name of your domain, i.e. http://badhost.com/yourdomain.com/ and calling the script from there.

Next, we begin building the message body, using a variable called $msg to hold the values we want to send starting with the simple message "Values submitted by the user:". Then we set up a simple foreach loop that goes through each of the values submitted. It first tests to see if the value is an array, like it would be with a list box:

            if (is_array($val)){
		

If the value is an array, it begins another foreach loop to go through the array values and add them to the message body:

            $msg.="Item: $key\n";
            foreach($val as $v){
               $v = stripslashes($v);
               $msg.="   $v\n";
            }

If the value is not an array, the value is simply added to the message body:

         } else {
            $val = stripslashes($val);
            $msg.="$key: $val\n";
         }

We finish up by assigning strings to variables for the recipient e-mail address and the message subject and using our familiar mail() function to send ti:

      $recipient="user@example.com";
      $subject="Form submission";
      error_reporting(0);
      if (mail($recipient, $subject, $msg)){
         echo "<h1>Thank you</h1><p>Message successfully sent:</p>\n";
         echo nl2br($input);
      } else
         echo "An error occurred and the message could not be sent.";
   } else
      echo "Bad request method";

So there you have a generic script that will send form results without knowing the slightest thing about the form that called it except that the form originitated from the same host where the script is located.

Lesson 5