Passing Data From Forms To PHP

Websites must interact with users to ensure that it has the attention of the user. The interaction could be any level from requesting for a user id and password to personal finance management. In any case, it is then important that the data keyed in by the user is transmitted to the PHP application so that it can be further processed. In this tutorial, we look at how data can be passed from a form to the PHP application.

There are two ways data can be passed from the HTML form - using GET or POST. Using GET method is insecure since the data will be visible in the url itself.
POST is more secure and is used wherever there is confidential data. We will take an example and look at how GET works and then we will move on to POST.
Note that the results in both cases would be the same.

In the example, we will ask the user to type in a user id and password and we will validate the same against the user id and password combination of admin/password. If it matches, we will display 'Successful Login'; otherwise we will display 'User Id/Password Incorrect'.

Save the following as a HTML file:

<html>
   <head>
   <title>Using GET to pass data</title>
   </head>
   <body>
   <form name="loginForm" action = "checkLogin.php" method="GET">
   User ID: <input type="text" name="userId" size="20"> <br />
   Password: <input type="password" name="password" size="20"> <br />
   <input type="submit" name="submit">
   </form>
   </body>
   </html>

Access the html page and you should see two fields to key in user id and password.

Now we need to access this data to verify if the user id and password are correct. We will do that using the following PHP code. Note that this file should be checkLogin.php since that is the name specified in the action property of the form.

<?php
 $userId = $_GET['userId'];
   $password = $_GET['password'];
if ($userId == "admin" && $password == "password"){
 echo ("Successful Login");
     
   } else {
 echo ("User Id/Password Incorrect");
 }
?>

When you key in the user id and password and click on the submit button, the checkLogin.php page will be accessed. If you check the url now, it will be of the form:

checkLogin.php?userId=admin&password=password&submit=Submit+Query

As you can observe, all the values the user keyed in are visible in the url itself. This is why we said that using GET will not guarantee data security.

Try out various combinations of user id and passwords.

Now we will explore the POST option. Both the files are similar except that the form method should be specified as POST. So the HTML will look like the below:

<html>
   <head>
   <title>Using POST to pass data</title>
   </head>
   <body>
   <form name="loginForm" action = "checkLogin.php" method="POST">
   User ID: <input type="text" name="userId" size="20"> <br />
   Password: <input type="password" name="password" size="20"> <br />
   <input type="submit" name="submit">
   </form>
   </body>
   </html>
 

The PHP program also needs to be modified so that it can read the POST data. The new file will be like this:

<?php
$userId = $_POST['userId'];
   $password = $_POST['password'];
if ($userId == "admin" && $password == "password"){
echo ("Successful Login");
     
   } else {
echo ("User Id/Password Incorrect");
}
?>

If you notice in this example, the data keyed in by user will not be visible in the url. That is why most forms use POST as a means to transfer data from the client PC to the server for processing.