Introduction
On Day 7 of your PHP Full Stack journey, we focus on handling forms and user input securely. Forms are the primary way users interact with web applications, whether it’s signing up, logging in, or submitting data. However, improper handling of user input can lead to vulnerabilities like SQL injection, XSS (Cross-Site Scripting), and CSRF (Cross-Site Request Forgery).
At CuriosityTech.in, learners are trained to not just capture user input but to validate, sanitize, and securely process data, ensuring web applications are safe and reliable.
1. Creating a Basic HTML Form
PHP works hand-in-hand with HTML forms. Here’s an example of a simple form for collecting user data:
<form method=”POST” action=”process.php”>
<label for=”name”>Full Name:</label>
<input type=”text” name=”name” id=”name” required>
<label for=”email”>Email:</label>
<input type=”email” name=”email” id=”email” required>
<label for=”message”>Message:</label>
<textarea name=”message” id=”message” required></textarea>
<button type=”submit”>Submit</button>
</form>
Key Points:
2. Capturing Form Data in PHP
Once the form is submitted, PHP captures the data using $_POST or $_GET superglobals:
<?php
$name = $_POST[‘name’];
$email = $_POST[’email’];
$message = $_POST[‘message’];
echo “Name: $name <br>”;
echo “Email: $email <br>”;
echo “Message: $message <br>”;
?>
Tip: Always use POST for sensitive data to avoid exposing it in the URL.
3. Validating User Input
Validation ensures the data meets expected formats before processing. Common validations include email format, string length, numeric values, etc.
<?php
if(isset($_POST[’email’])) {
$email = $_POST[’email’];
if(filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo “Valid email address.”;
} else {
echo “Invalid email address.”;
}
}
?>
Best Practices Table:
| Validation Type | PHP Function / Technique |
| filter_var($email, FILTER_VALIDATE_EMAIL) | |
| Integer | filter_var($num, FILTER_VALIDATE_INT) |
| String Sanitization | filter_var($string, FILTER_SANITIZE_STRING) |
| Remove Whitespace | trim($input) |
4. Sanitizing User Input
Sanitization removes unwanted characters to prevent security vulnerabilities:
<?php
$name = htmlspecialchars($_POST[‘name’]); // Converts special chars to HTML entities
$message = strip_tags($_POST[‘message’]); // Removes HTML tags
?>
Security Tip: Always combine validation with sanitization for maximum protection.
5. Protecting Against Common Attacks
- SQL Injection: Use prepared statements with PDO or MySQLi:
<?php
$stmt = $conn->prepare(“INSERT INTO users (name, email) VALUES (?, ?)”);
$stmt->bind_param(“ss”, $name, $email);
$stmt->execute();
?>
- Cross-Site Scripting (XSS): Escape output using htmlspecialchars() when displaying user input.
- CSRF Protection: Generate a CSRF token and verify it on form submission:
<?php
session_start();
$token = bin2hex(random_bytes(32));
$_SESSION[‘csrf_token’] = $token;
?>
<input type=”hidden” name=”csrf_token” value=”<?php echo $token; ?>”>
6. Hierarchical Diagram: Secure Form Handling
7. CuriosityTech.in Perspective
At CuriosityTech.in, students learn to combine core PHP knowledge from Day 6 with secure form handling to create real-world applications. From login pages to feedback forms, every application is built following best practices. The platform ensures you don’t just learn code but also write secure, professional-grade PHP applications suitable for production environments.
Conclusion
Proper handling of forms and user input is a critical skill for PHP Full Stack Developers. By validating, sanitizing, and securing input, developers can prevent vulnerabilities and build robust applications. Learning this today sets a strong foundation for database integration (Day 8) and CRUD operations (Day 9).
