PHP $_POST Predefined Variable

The $_POST predefined variable contains an associative array of variables passed to the current page via the HTTP POST method. When using the $_POST superglobal variable, the HTML <form> tag must have the attribute method="post".

Syntax

$variable = $_POST['request html control by name'];

Create a new HTML page and name it form.html, and then copy this:

<form method="post" action="post.php">

Name: <input type="text" name="firstname" />
Age: <input type="number" min="13" name="age"/>
<input type="submit"/>

</form>

Output

Name:
Age:
 

Now create a PHP page named post.php. Make sure you save it in the same directory as the form.html page. Copy this:

<?php

$firstname = $_POST['firstname'];
$age = $_POST ['age'];

echo "Welcome $firstname you are $age years old!";

?>

Now go back to the HTML page and enter your name and age; click submit and you should see the form submit. You can try it below.

Code Explained

  • First we got the HTML
  • Then in the PHP page we got $firstname, which is a variable
  • The variables request the element (HTML) and their value, they get this by the name attribute
  • In the last line we echo out the value

Try It!

Name:
Age:

Safety First!

Nothing is ever safe, especially when it comes to computers. You can easily be hacked if you do or type the wrong thing. The issue with the above code is that users can enter what they want, meaning you are vulnerable to XSS Attacks (Cross-Site-Scripting). XSS is dangerous, but luckily PHP provides two built in functions to avoid these attacks. You can try an XSS attack at http://testasp.vulnweb.com/search.asp and simply type this into the search box:

<form method="post">

Name: <input name="firstname" type="text" /><br />
Age: <input min="13" name="age" type="number" />

<input class="tryit" type="submit" />

</form>

When you insert this, a form will render like above. This is dangerous, as hackers can turn this into a login system and redirect users somewhere else. The two built in functions PHP provides are strip_tags, which will remove tags on form submission and htmlentities, which will covert tags to their HTML entity (for example, < in HTML is &lt;).

Example

<?php

$firstname = $_POST['firstname'];
$surname = $_POST['surename'];

$firstname = strip_tags($firstname, '<b>');
$surname = htmlentities($surname);

?>

Here, the $firstname variable is set to get form submitted data, and then at the bottom we strip the tags. The strip_tags function accepts two arguments, the first one being the string to strip and the second being the tags which are allowed (in this case, bold tags). You do not need to insert the closing tag. You can see that the variable surname is set to to htmlentities and will simply convert the tags. This is required, because it is a security issue if you do not validate the data.

You can try this below: Type your first name with HTML tags and see how they are stripped out, and then for your surname do the same and see how they are not stripped out. For the last one, use the <b> tag and see how the content renders. Since we use ASP.NET on this website by default HTML tags are not allowed, so if you try this anywhere else on the website you might get banned.

Try It!


Value Attribute

Some form elements such as the radio button and checkbox need the value attribute specified. Create a new PHP page and name it checkboxes; instead of creating two pages this time we are going to do it on one page. Copy the PHP code below:

<?php

if (isset($_POST['submit'])){

    $colours = $_POST['colours'];
    echo "Your favourite colour is $colours";
}

?>

Code Explained

  • Similar to the before, we request the HTML controls; since we are using radio buttons, they are in the group 'colours' so we only need to put it once
  • Then echo out the result
  • Now the if (isset) basically checks if the form has been submitted or not

Now the HTML code:

<form method="post">

<p>Choose a favourite colour.</p>

 Blue:   <input type="radio" name="colours" value="blue"/>

    <br/>

Black:     <input type="radio" name="colours" value="black"/>

    <br/>

Pink     <input type="radio" name="colours" value="pink"/>

    <br/>

 No Value:  <input type="radio" name="colours"/>

    <br/>


    <input type="submit" name="submit"/>


</form>

As before we have the method post, and then the rest is just HTML. Here a radio button with no value is included so you can see how it will show no result if that is selected. Now the submit button needs a name, because the if (isset) needs to refer to it to check if the form has been submitted or not. You can try this out at PHP - Radio Button Example.

Summary

  • Syntax is $variable = $_POST['HTML element name'];
  • Checkboxes and radio buttons need to have a value attribute
  • With method="post" the data is secure because it is not shown in the URL