The PHP superglobals $_GET and $_POST are used to collect form data submitted by the user. Several predefined variables in PHP are called superglobals. You can access them from any function, class or file without having to do anything special.
The example below displays a simple HTML form with two input fields (name and email) and a submit button.
<form action="welcome.php" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
When the user fills out the form and clicks the submit button, the form data is sent for processing to a PHP file - welcome.php. The form data is sent with the HTTP POST method.
If the form is sent using the POST method , the data is available through the $_POST array. The names of the properties are the keys in that associative array. Data sent with the POST method is not visible on the URL of the page.
Display Form Data
To display the submitted data you can simply echo all the variables. The "welcome.php" file is:
Welcome <?php echo $_POST["name"]; ?><br />
Your email address: <?php echo $_POST["email"]; ?>
You can also store the form data in variables for further processing.
The alternative to POST is to send the form data with the GET method and to retrieve it using the $_GET array. The variables are then displayed in the address bar.
Because the data is contained in the address bar, variables cannot only be passed through HTML forms but also through HTML links. The $_GET array can then be used to change the state of the page accordingly. This provides one way of passing variables from one page to another.
If it does not matter whether the POST or GET method was used to send the data, the $_REQUEST array can be used. This array typically contains the $_GET and $_POST arrays, but may also contain the $_COOKIE array.
echo $_REQUEST['myString']; // "Foo Bar"
Any user-provided data can be manipulated; therefore, it should be validated and sanitized before being used. Validation means that you make sure that the data is in the form you expect, in terms of data type, range, and content. For example, the following code validates an email address.
echo "Invalid email address";
Sanitizing is when you disable potentially malicious code in the user input. This is done by escaping the code according to the rules of the language where the input is to be used. For example, if the data is sent to a database, it needs to be sanitized with the mysql_real_escape_string function to disable any embedded SQL code.
// Sanitize for database use
$name = mysql_real_escape_string($_POST['name']);
When user-supplied data is output to the web page as text, the htmlspecialchars function should be used. It disables any HTML markup, so that the user input is displayed but not interpreted.
// Sanitize for web page use
Form data can be grouped into arrays by including array square brackets after the variable names in the form. This works for all form input elements, including <input>, <select>, and <textarea>.
<input type="text" name="myArr">
<input type="text" name="myArr">
The elements may also be assigned their own array keys.
<input type="text" name="myArr[name]">
Once submitted, the array is available for use in the script.
$val1 = $_POST['myArr'];
$val2 = $_POST['myArr'];
$name = $_POST['myArr']['name'];
The form <select> element has an attribute for allowing multiple items to be selected from the list.
<select name="myArr" size="3" multiple="true">
When this multi-select element is included in a form, the array brackets become necessary for retrieving the selected values in the script.
foreach ($_POST['myArr'] as $item)
echo $item . ' '; // ex "apple orange pear"