These pages will show how to process PHP forms with security in mind.
Proper validation of form data is important to protect your form from hackers and spammers! And when the page loads, the Java Script code will be executed (the user will see an alert box).
If the REQUEST_METHOD is POST, then the form has been submitted - and it should be validated.
If it has not been submitted, skip the validation and display a blank form.
This article covers how to validate form data within your form's Web content.
A hacker can redirect the user to a file on another server, and that file can hold malicious code that can alter the global variables or submit the form to another address to save the user data, for example.
The first thing we will do is to pass all variables through PHP's htmlspecialchars() function.
This is just a simple and harmless example how the PHP_SELF variable can be exploited.
When we use the htmlspecialchars() function; then if a user tries to submit the following in a text field: - this would not be executed, because it would be saved as HTML escaped code, like this: <script>location.href(' The code is now safe to be displayed on a page or inside an e-mail.
We will also do two more things when the user submits the form: The next step is to create a function that will do all the checking for us (which is much more convenient than writing the same code over and over again). Now, we can check each $_POST variable with the test_input() function, and the script looks like this: Notice that at the start of the script, we check whether the form has been submitted using $_SERVER["REQUEST_METHOD"].