Page 287 - Beginning PHP 5.3
P. 287

Chapter 9: Handling HTML Forms with PHP
                         redisplayed as blank. The script checks to see if the form is being redisplayed due to missing required
                         field values; if so, the password field labels are highlighted with the red error boxes to remind the users
                         to reenter their password:

                                     <label for=”password1”<?php if ( $missingFields ) echo
                             ‘ class=”error”’ ?>>Choose a password *</label>
                                     <input type=”password” name=”password1” id=”password1” value=”” />
                                     <label for=”password2”<?php if ( $missingFields ) echo ‘
                             class=”error”’ ?>>Retype password *</label>
                                     <input type=”password” name=”password2” id=”password2” value=”” />
                               Finally, the script defines the  displayThanks()  function. This displays a simple thank - you message
                         when the form has been correctly filled out:

                             function displayThanks() {
                             ?>
                                 <h1>Thank You</h1>
                                 <p>Thank you, your application has been received.</p>
                             <?php
                             }
                             ?>

                               With this example you can see that, by embedding an HTML form within a PHP script, you can start to
                         develop quite complex interactive Web forms.



                           Storing  PHP  Variables in Forms

                           Earlier in the chapter you were introduced to hidden fields. A hidden field is a special type of  input
                          element that can store and send a string value, just like a regular text input control. However, a hidden
                          field is not displayed on the page (although its value can be seen by viewing the page source), and
                          therefore its value cannot be changed by the users when they ’ re filling out the form. By combining
                          hidden fields with PHP ’ s ability to insert data dynamically into form fields, you effectively have the
                          ability to store data between one browser request and the next:

                               < input type=”hidden” name=”selectedWidget” value=” < ?php echo $selectedWidget




                             ?> ” />
                               Although users can ’ t change a hidden field ’ s value when using their browser under normal conditions,
                             it ’ s fairly easy for an attacker to submit a form that does contain hidden fields with altered values.
                             Therefore, it ’ s not a good idea to use hidden fields to transmit sensitive or critical information such as
                             user IDs or order numbers, at least not without performing additional validation in your script to
                             ensure the supplied data is correct.











                                                                                                         249





                                                                                                      9/21/09   7:23:43 PM
          c09.indd   249
          c09.indd   249                                                                              9/21/09   7:23:43 PM
   282   283   284   285   286   287   288   289   290   291   292