Accessing user input – Dr. Balvinder Taneja

In PHP, accessing user input is commonly done through superglobal arrays that store data from form submissions, URL parameters, cookies, or session variables. Below is an overview of the methods to access different types of user input in PHP.

1. Accessing Form Data with $_POST

When an HTML form is submitted using the POST method, the data is stored in the $_POST superglobal array. This method is generally used for sensitive or private information, as it keeps data out of the URL.

Example:

</form>

In submit.php:

if ($_SERVER[“REQUEST_METHOD”] == “POST”)

{ $username = $_POST[‘username’]; $password = $_POST[‘password’];

echo “Username: $username<br>”;

echo “Password: $password”;

}

2. Accessing URL Parameters with $_GET

If data is sent via the URL (using the GET method), it can be accessed using the $_GET superglobal array. This method is visible in the browser’s address bar and is commonly used for non-sensitive data.

Example URL: http://example.com/search.php?query=php&sort=asc

In search.php:

$query = $_GET[‘query’]; $sort = $_GET[‘sort’];

echo “Search Query: $query<br>”;

echo “Sort Order: $sort”;

3. Using $_REQUEST to Access Both GET and POST Data

The $_REQUEST array can contain data from both $_GET and $_POST, as well as $_COOKIE. It’s a catch-all, but it’s generally better practice to use $_GET or $_POST directly to make the data source explicit.

$query = $_REQUEST[‘query’]; // Works if ‘query’ is in either GET or POST

4. Accessing File Uploads with $_FILES

When a file is uploaded via an HTML form, PHP stores details about the file in the $_FILES array. This includes the file name, type, size, temporary location, and any upload errors.

Example:

</form>

In upload.php:

if ($_FILES[‘uploaded_file’][‘error’] == UPLOAD_ERR_OK)

{ $file_name = $_FILES[‘uploaded_file’][‘name’];

$temp_location = $_FILES[‘uploaded_file’][‘tmp_name’];

move_uploaded_file($temp_location, “uploads/$file_name”);

echo “File uploaded successfully.”;

}

5. Accessing Cookies with $_COOKIE

Cookies are small pieces of data stored on the client side. You can access cookie values using the $_COOKIE array once they have been set.

Setting a Cookie:

setcookie(“user”, “John Doe”, time() + 3600); // Sets a cookie that lasts for 1 hour

Accessing a Cookie:

if (isset($_COOKIE[‘user’])) { echo “User: ” . $_COOKIE[‘user’]; }

6. Accessing Session Data with $_SESSION

Session data is stored on the server and can persist user information across different pages. You need to start the session at the beginning of each script that uses session data.

Starting a Session and Setting Session Variables:

session_start(); $_SESSION[‘username’] = “JohnDoe”;

Accessing Session Variables:

session_start(); if (isset($_SESSION[‘username’])) { echo “Welcome, ” . $_SESSION[‘username’]; }

7. Validating and Sanitizing User Input

Always validate and sanitize user input to prevent security risks like SQL injection or XSS. Here are some common functions:

htmlspecialchars(): Escapes HTML characters to prevent XSS attacks.
filter_var(): Validates and sanitizes different types of data.

Example:

$username = htmlspecialchars($_POST[‘username’]); $email = filter_var($_POST[’email’], FILTER_VALIDATE_EMAIL);

Summary

PHP provides multiple superglobal arrays to access different types of user input:

$_POST for form data sent via POST.
$_GET for data sent via the URL.
$_REQUEST for a combination of GET, POST, and COOKIE data.
$_FILES for file uploads.
$_COOKIE for accessing cookies.
$_SESSION for accessing session variables.

Using these arrays properly, along with validation and sanitization, ensures safe handling of user input in PHP.