PHP Form Handling

Form handling is a crucial part of any web application. It allows users to input and submit data to the server, which can then be processed and used to perform various tasks. PHP is a popular server-side programming language that is well-suited for form handling.

We will look at how to handle forms in PHP and some of the best practices to keep in mind.

Creating a Form

The first step in form handling is creating the form itself. A basic HTML form is made up of several elements, including a form tag, input elements, and a submit button.

Here is an example of a simple form that includes a text input field and a submit button:

<form action="submit.php" method="post">
  <label for="name">Name:</label>
  <input type="text" id="name" name="name" required>
  <input type="submit" value="Submit">

In this example, the form’s action attribute is set to submit.php, which tells the browser to submit the form data to the specified file.

The method attribute is set to POST, which tells the browser to send the form data using the HTTP POST method.

The input element has a type attribute set to text, which tells the browser to create a text input field.

The id and name attributes are used to give the input field a unique identifier, which can be used to reference the field in PHP.

The required attribute is added to make sure the input field is filled before submitting the form.

Handling Form Data

Once the form is submitted, the data is sent to the server and can be accessed in the specified file using the $_POST or $_GET superglobal variables.

Here is an example of how to access the data from the previous example in PHP:

  if (isset($_POST['name'])) {
    $name = $_POST['name'];
    echo "Hello, " . $name;

In this example, we first check if the name field is set in the $_POST array. If it is, we store its value in a variable and then use the echo function to output a greeting to the user.

Sanitizing and Validating Form Data

It is essential to sanitize and validate form data before using it to prevent security vulnerabilities such as SQL injection and cross-site scripting (XSS).

Sanitizing data involves removing any unwanted characters or formatting, while validation involves checking if the data meets certain criteria.

Here is an example of how to sanitize and validate a text input field in PHP:

  if (isset($_POST['name'])) {
    $name = trim(strip_tags($_POST['name']));
    if (strlen($name) > 2 && strlen($name) < 50) {
      echo "Hello, " . $name;
    } else {
      echo "Please enter a valid name.";

In this example, we first use the trim function to remove any whitespace from the beginning and end of the input field. We then use the strip_tags function to remove any HTML or PHP tags from the input field.

Next, we use the strlen function to check if the input field is between 2 and 50 characters in length. If it is, we output a greeting to the user. If not, we output an error message asking the user to enter a valid name.

Another useful validation function in PHP is filter_var() which can be used to check if a variable has a specific type or format, such as an email address or URL.

Here’s an example of how to use filter_var() to validate an email address:

  if (isset($_POST['email'])) {
    $email = trim($_POST['email']);
    if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
      echo "Thank you for providing a valid email address: " . $email;
    } else {
      echo "Please enter a valid email address.";

In this example, we use the FILTER_VALIDATE_EMAIL filter to check if the email address is valid.

If it is, we thank the user for providing a valid email address. If not, we ask the user to enter a valid email address.

Form handling in PHP is a crucial aspect of web development and it is essential to understand the basics of how it works.

By following the best practices discussed in this article, you can ensure that your forms are secure and efficient.

GET vs. POST and When to Use Them

GET and POST are two commonly used HTTP methods for sending data to the server in a web application. The main difference between the two is how they handle data and the size of data they can transmit.


  • GET requests are used to retrieve data from the server.
  • The data is sent as part of the URL, in the form of query parameters.
  • GET requests are generally considered to be safe, as they do not modify data on the server.
  • GET requests are cached by the browser, which can improve the performance of the application.
  • Due to the data being sent in the URL, GET requests have a length limitation, typically around 2000 characters.


  • POST requests are used to submit data to the server, typically to create or update a resource.
  • The data is sent in the body of the request, separate from the URL.
  • POST requests are not cached by the browser and are not idempotent, meaning that multiple identical requests can have different effects.
  • POST requests can transmit large amounts of data, and there is typically no limit on the size of data that can be sent.

When to use GET:

  • When you want to retrieve data from the server without modifying it.
  • When the data being sent is small and simple, such as a search query.
  • When you want to allow the user to bookmark the page or share the URL.

When to use POST:

  • When you want to submit data to the server to create or update a resource.
  • When the data being sent is large or complex, such as a file upload.
  • When you want to keep the data private and not allow the user to see it in the URL.

It is important to note that GET requests should never be used for sensitive information, as the data is visible in the URL and can be easily intercepted. Also, GET requests should not be used to make changes to the server.

Related Posts: