For many applications of PHP, the ability to interact with users who view the Web page is essential. Veterans of JavaScript tend to think in terms of event handlers, which let you react directly to the actions of the user — for example, the movement of the mouse over a link on the page. Server-side scripting languages such as PHP have a more limited scope when it comes to user interaction. As PHP code is activated when a page is requested from the server, user interaction can occur only in a back-and-forth fashion: the user sends requests to the server, and the server replies with dynamically generated pages.
The key to creating interactivity with PHP is to understand the techniques we can use to send information about a user's interaction along with his or her request for a new Web page. PHP makes this fairly easy, as we'll now see.
The simplest method we can use to send information along with a page request uses the URL query string. If you've ever seen a URL with a question mark following the file name, you've witnessed this technique in use. Let's look at an easy example. Create a regular HTML file called welcome1l (no .php file extension is required, since there will be no PHP code in this file) and insert this link:
<a href=">Hi, I'm Kevin!</a>
This is a link to a file called welcome1.php, but as well as linking to the file, we're also passing a variable along with the page request. The variable is passed as part of the query string, which is the portion of the URL that follows the question mark. The variable is called name and its value is Kevin. To restate, we have created a link that loads welcome1.php, and informs the PHP code contained in the file that name equals Kevin.
To really understand the results of this process, we need to look at welcome1.php. Create it as a new HTML file, but this time note the .php extension — this tells the Web server that it can expect to interpret some PHP code in the file. In the body of this new file, type:
<?php $name = $_GET['name']; echo( "Welcome to our Website, $name!" ); ?>
Now, if you use the link in the first file to load this second file, you'll see that the page says "Welcome to our Website, Kevin!"
PHP automatically creates an array variable called $_GET[1] that contains any values passed in the query string. $_GET is an associative array, so the value of the name variable passed in the query string can be accessed as $_GET['name']. Our script assigns this value to an ordinary PHP variable ($name) and then displays it as part of a text string using the echo function.
In versions of PHP prior to 4.2, the register_globals setting in php.ini was set to On by default. This setting tells PHP to create automatically ordinary variables for all the values supplied in the request. In the previous example, the $name = $_GET['name']; line is completely unnecessary if the register_globals setting were set to On, since PHP would do it automatically. Although the convenience of this feature was one aspect of PHP that helped to make it such a popular language in the first place, novice developers could easily leave security holes in sensitive scripts with it enabled.
For a full discussion of the issues surrounding register_globals, see my article Write Secure Scripts with PHP 4.2! at sitepoint.com.
You can pass more than one value in the query string. Let's look at a slightly more complex version of the same example. Change the link in the HTML file to read as follows (this is welcome2l in the code archive):
<a href="> Hi, I'm Kevin Yank! </a>
This time, we'll pass two variables: firstname and lastname. The variables are separated in the query string by an ampersand (&). You can pass even more variables by separating each name=value pair from the next with an ampersand.
As before, we can use the two variable values in our welcome.php file (this is welcome2.php in the code archive):
<?php $firstname = $_GET['firstname']; $lastname = $_GET['lastname']; echo( "Welcome to my Website, $firstname $lastname!" ); ?>
This is all well and good, but we still have yet to achieve our goal of true user interaction, where the user can actually enter arbitrary information and have it processed by PHP. To continue with our example of a personalized welcome message, we'd like to allow the user to actually type his or her name and have it appear in the message. To allow the user to type in a value, we'll need to use an HTML form.
Here's the code (welcome3l):
<form action="welcome3.php" method="get"> First Name: <input type="text" name="firstname" /><br /> Last Name: <input type="text" name="lastname" /><br /> <input type="submit" value="GO" /> </form>
This form has the exact same effect as the second link we looked at (with firstname=Kevin&lastname=Yank in the query string), except that you can enter whatever names you like. When you click the submit button (which has a label of "GO"), the browser will load welcome3.php and automatically add the variables and their values to the query string for you. It retrieves the names of the variables from the name attributes of the input type="text" tags, and it obtains the values from the information the user typed into the text fields.
The method attribute of the form tag is used to tell the browser how to send the variables and their values along with the request. A value of get (as used above) causes them to be passed in the query string (and appear in PHP's $_GET array), but there is an alternative. It's not always desirable—or even technically feasible—to have the values appear in the query string. What if we included a <textarea> tag in the form, to let the user enter a large amount of text? A URL that contained several paragraphs of text in the query string would be ridiculously long, and would exceed by far the maximum length of the URL in today's browsers. The alternative is for the browser to pass the information invisibly, behind the scenes. The code for this looks exactly the same, but where we set the form method to get in the last example, here we set it to post (welcome4l):
<form action="welcome4.php" method="post"> First Name: <input type="text" name="firstname" /><br /> Last Name: <input type="text" name="lastname" /><br /> <input type="submit" value="GO" /> </form>
As we're no longer sending the variables as part of the query string, they no longer appear in PHP's $_GET array. Instead, they are placed in another array reserved especially for 'posted' form variables: $_POST[2]. We must therefore modify welcome3.php to retrieve the values from this new array (welcome4.php):
<?php $firstname = $_POST['firstname']; $lastname = $_POST['lastname']; echo( "Welcome to my Website, $firstname $lastname!" ); ?>
This form is functionally identical to the previous one. The only difference is that the URL of the page that's loaded when the user clicks the "GO" button will not have a query string. On the one hand, this lets you include large values, or sensitive values (like passwords) in the data that's submitted by the form, without their appearing in the query string. On the other hand, if the user bookmarks the page that results from the form's submission, that bookmark will be useless, as it doesn't contain the submitted values. This, incidentally, is the main reason that search engines like Google use the query string to submit search terms. If you bookmark a search results page on AltaVista, you can use that bookmark to perform the same search again later, because the search terms are contained in the URL.
Sometimes, you want access to a variable without having to worry about whether it was sent as part of the query string or a form post. In cases like these, the special $_REQUEST[3] array comes in handy. It contains all the variables that appear in both $_GET and $_POST. With this variable, we can modify welcome4.php one more time so that it can receive the first and last names of the user from either source (welcome5.php):
<?php $firstname = $_REQUEST['firstname']; $lastname = $_REQUEST['lastname']; echo( "Welcome to my Website, $firstname $lastname!" ); ?>
That covers the basics of using forms to produce rudimentary user interaction with PHP. I'll cover more advanced issues and techniques in later examples.
[1]Prior to PHP 4.1, this variable was called $HTTP_GET_VARS. This variable name remains in current PHP versions for backwards compatibility. If your server has an older version of PHP installed, or if you're writing a script that must be compatible with older versions, you should use $HTTP_GET_VARS instead of $_GET.
[2]Prior to PHP 4.1, 'posted' form variables were available in the $HTTP_POST_VARS array. This array remains available in current versions of PHP for backwards compatibility.
[3]$_REQUEST is not available in versions of PHP prior to PHP 4.1.