Using Forms with PHP

PHP Diary | PHP Housekeeping | PHP Scripts | TD Scripts.com

[back] 12/22/99 "Using Forms With PHP" [next]

Miscellaneous TDavid Ramblings

example #8 (if you came here from the php_scripts page that is -- othewise keep reading)

tutorial This is cool, found this from the inventor of PHP:
http://www.webtechniques.com/archives/1998/02/lerdorf/

Do Search Engines Spider .php3 pages?

Was talking to a friend about PHP this morning and he was wondering if search engine spiders found .php3 pages. He raised a great point because if you were going to make a PHP powered site (which this one will be someday) you wouldn't want to miss out on that great search engine traffic. So I fired up the browser and checked excite using the keyword php, and voila! the third or so page in I saw a php3 page indexed.

Forms: Introduction - Getting Surfer Input

Ok, it is time to get some surfer input and start doing some really killer things with PHP. I'd like to find out what you think of each of my diary pages, and without having you email and tell me there is really no way for me to measure how useful these diary entries are for you. Therefore I am going to set up a fairly simple grading system with the following criteria:

5 - Excellent, Extremely Useful
4 - Very good, Useful
3 - Good, I learned something new
2 - Ok, but not really that useful
1 - Not useful at all, sorry

First I'll set up a form with a dropdown box and a submit button which simply emails me the rating number. This doesn't use PHP, it just shows you the syntax in making a simple email form. Here is the HTML code to do this:

<p><select name="rating" size="1">
<option value="5">5 - Excellent, Extremely Useful</option>
<option value="4">4 - Very Good, Useful</option>
<option value="3">3 - Good, I learned something</option>
<option value="2">2 - Ok, but not really that useful</option>
<option value="1">1 - Not Useful At All, Sorry</option>
</select><input type="submit" value="Submit"></p>

</form>

Here is what the code looks like on a webpage:

The demo above doesn't actually send email to me since the action="mailto does not point to my valid email address (sorry, I didn't really want to get a bunch of emails with numbers in them, lol). Now let's modify the code above and send the information to PHP. First we need to change above is the first line of HTML to point to the php3 script:

We could send the script one additional piece of information indicating which page the rating was come from using the input hidden tag, but there is a better way to do this by using the HTTP_REFERER environment variable since I would need to modify every hidden tag. Don't know what a hidden tag is? Don't worry, we'll get into that later when we need to use one, but for now lets concentrate on what example8.php3 code will look like:

<?
print("Thanks for rating my page: $HTTP_REFERER with a rating of: $rating");
?>

Environment variables contain useful (well, in some cases) information about the surfer that can be used in scripts. I will explain use of any new environment variables as I use them in PHP, but the one we're using above HTTP_REFERER is for determining what page a surfer came from. Why it's important to know this will become very apparent to you shortly. Keep in mind that spelling does matter in variable names (thus REFERRER is not the same as REFERER), and yes, I have made this mistake in Perl many many many times.

Now while example #8 is cool for demonstrating how PHP passes information from a form (that's right, Perl people, no form parsing subroutine is necessary! yay!!), I still will need to figure out how to use the informationg the surfer took the time to submit.

Files - the choices ... flatfiles, mySQL ...

PHP has a lot of data file choices. If you are going to be recording a limited amount of information a flat file system will probably be more useful than using a mySQL database. We will get into mySQL databases later, since I will want and need to do more sophisticated database work, but for this project we are going to use a flat file system for logging the rating information for each diary page since I am only going to have 1 field: rating. The total number of votes will be determined by the size of the file with each line inside the file being 1 vote. The following could be an example of what the file might look like:

2
4
5
1
3

In the case above there would be 5 votes and a total rating score of 15. I don't even need a calculator to do the division here. The average rating would be 3 (15 divided by 5 equals 3). Organizing how you are going to structure your data into files is a very important step before sitting down to write the actual code in any programming language.

Filenames and Security

You will want to be cautious about allowing surfers to choose filenames. I am going to get around this potential security hole by using the HTTP_REFERER to determine the right file to add the rating to. Let's say I have 100 different diary entries, I will have 100 different diary files to add ratings to. Yes, I could have passed a hidden tag with the filename but that would have opened a security hole because anybody could make a form and submit to my script with a hidden tag and write to files on my server (unless I did some type of checking to block script calls from outside my domain). At any rate, not a good idea. By using the HTTP_REFERER and a little bit of security checking I can ensure that only certain files are created and written to that I want to. As a programmer you have to always assume that your scripts might be used maliciously to hack the server. Closing security holes during file operations can be a big one. Books have been written on this topic alone, so I won't spend any more time right now, just remember that you should generally find some other way to choose filenames besides asking the person submitting the form to in the interest of security. Ok, I'll step down from the podium and move onto the preliminary code for the rate.php3 script. First we need to figure out the filename and make sure the script is being called from the www.php-scripts.com domain:

<?
$security_domain = "www.php-scripts.com";
$url = explode("/", $HTTP_REFERER);
if(ereg($security_domain, $url[2]))
{
    print("<br>Came from domain: $security_domain");
    $filesplit = explode(".", $url[4]);
    $filename = $filesplit[0];
       if(ereg("[0-9]{6}", $filename))
       {
         $filename .= ".dat";
         print("<p>Filename chosen for diary page is $filename");
         print("<p>Thanks for rating my page: $HTTP_REFERER with a rating of: $rating");
       }
        else
       {
        print("<p><strong>Sorry this is not a valid diary page</strong>");
       }
   }
    else
   {
    print("<p><strong>Sorry, you cannot run this script from this location</strong>");
   }
?>

The code aboves introduces two new functions explode and ereg. I'll explain it in logical order so you can follow what is happening.

First we set a variable to determine what is the $security_domain to allow to run the script. We then use the array explode function to separate the HTTP_REFERER by the forward slash /. This creates 5 different pieces of the url the surfer is coming from. From those pieces we are interested in the third piece (remember that arrays start numbering at zero). Thus http: is piece #0, the forward slash / and www.php-scripts.com is piece #2 (or the third piece). Using the ereg function coupled with an if statement the script call must be from exactly www.php-scripts.com or else the "Sorry, you cannot run this script from this location" message will be displayed.This presents an interesting situation because if someone entered the domain by php-scripts.com without the www they would be able to surf the site fine, but be blocked by the rate.php3 script when they tried to vote. We can set a second $security_domain2 to be without the "www." and match it that way by using the logical OR and I will add that into the next code. That way if either with the www or without the rating will be allowed.
Next we need to analyze the fifth piece, which is the actual PHP or HTML page that the surfer is coming from. We use the explode function again to separate the extension (.php3) from the date/filename, presumably. But we can never presume anything, so let's make sure there filename is exactly 6 digits from 0-9 which will make up any diary entry file I create. We do this with the ereg function and another if statement. If it isn't exactly 6 digits then the message "Sorry this is not a valid diary page" will be displayed. Now the only thing I have to remember to do is name all my diary pages as 6 digit dates and the script will accept my input.
The next (and last bit of the preliminary code) is preparing the filename by appending the extension .dat onto the filename. In the next round of code I can use this "safe" filename for creating, reading or appending the correct flat file that corresponds to the diary page.

[back] 12/22/99 "Using Forms With PHP" [next]

PHP Diary | PHP Housekeeping | PHP Scripts | TD Scripts.com