Processing http requests php. Processing requests using PHP. Defining HTTP request parameters via HTML form
Browser clients can send information to the web server.
Before the browser sends information, it encodes it using a scheme called URL encoding. In this scheme, name/value pairs are concatenated with equal signs, and different pairs are separated by an ampersand.
Name1=value1&name2=value2&name3=value3
Spaces are removed and replaced with a + character, and any other non-alphanumeric characters are replaced with hexadecimal values. Once the information is encoded, it is sent to the server.
GET method
The GET method sends encoded user information appended to the page request. Are the pages and encoded information separated from each other? question mark.
http://www.test.com/index.htm?name1=value1&name2=value2
- The GET method produces a long string that appears in your server logs in the browser's "Location" field.
- The GET method is limited to sending up to 1024 characters only.
- Never use the GET method if you have a password or other sensitive information to send to the server.
- GET cannot be used to transfer binary data, such as images or text documents, to the server.
- Data sent by the GET method can be accessed using the QUERY_STRING environment variable.
- PHP provides the $_GET associative array to access all sent information using the GET method.
if($_GET["name"] || $_GET["age"]) ( echo "Welcome ". $_GET["name"]; echo "You are ". $_GET["age"]. " years old "; exit(); )
POST method
Method POST transmits information via HTTP headers. The information is encoded as described in the case of the method GET, and is placed in the header QUERY_STRING.
- The POST method has no limit on the size of the data that needs to be sent.
- The POST method can be used to send ASCII as well as binary data.
- Data sent using the POST method passes through an HTTP header, so security depends on the HTTP protocol. By using Secure HTTP, you can ensure that your information is protected.
- PHP provides an associative array $_POST to access all information sent using the POST method.
Try the following example by placing the source code in the test.php script.
if($_POST["name"] || $_POST["age"]) ( if (preg_match("[^A-Za-z"-]",$_POST["name"])) ( die (" invalid name and name should be alpha"); ) echo "Welcome ". $_POST["name"]; echo "You are ". $_POST["age"]. " years old."; exit(); )
$_REQUEST variable
PHP variable $_REQUEST contains contents like $_GET, $_POST, so $_COOKIE. We will discuss the variable $_COOKIE when we talk about cookies.
The PHP $_REQUEST variable can be used to retrieve the result from form data submitted using the GET and POST methods.
For POST method
The form content is encoded in exactly the same way as for the GET method (see above), but instead of adding a string to the URL, the request content is sent as a data block as part of the POST operation. If the ACTION attribute is present, then the URL value found there determines where to send this block of data. This method, as already noted, is recommended for transferring large data blocks.
Information entered by the user and sent to the server using the POST method is served on standard input to the program specified by the action attribute, or to the current script if this attribute is omitted. The length of the sent file is passed in the environment variable CONTENT_LENGTH, and the data type is passed in the CONTENT_TYPE variable.
You can only send data using the POST method using an HTML form, since the data is sent in the body of the request, and not in the header, as in GET. Accordingly, you can change the value of the parameters only by changing the value entered in the form. When using POST, the user does not see the data sent to the server.
The main advantage of POST requests is their greater security and functionality compared to GET requests. Therefore, the POST method is more often used to transmit important information, as well as large-scale information. However, you should not rely entirely on the security of this mechanism, since the POST request data can also be faked, for example, by creating an HTML file on your machine and filling it with the necessary data. Additionally, not all clients can use the POST method, which limits its use cases.
When sending data to the server by any method, not only the data entered by the user is transmitted, but also a number of variables, called environment variables, characterizing the client, its operation history, file paths, etc. Here are some of the environment variables:
- REMOTE_ADDR – IP address of the host (computer) sending the request;
- REMOTE_HOST – host name from which the request was sent;
- HTTP_REFERER – address of the page linking to the current script;
- REQUEST_METHOD – the method that was used when sending the request;
- QUERY_STRING – information located in the URL after the question mark;
- SCRIPT_NAME – virtual path to the program that should be executed;
- HTTP_USER_AGENT – information about the browser that the client uses
So far, we have only mentioned that client requests are processed on the server using a special program. In fact, we can write this program ourselves, including in PHP, and it will do whatever we want with the received data. In order to write this program, you need to become familiar with some of the rules and tools that PHP offers for this purpose.
Within a PHP script, there are several ways to access data sent by a client via HTTP. Before PHP 4.1.0, access to such data was carried out by the names of the transferred variables (remember that data is transferred in the form of pairs “variable name, “=” symbol, variable value”). Thus, if, for example, first_name=Nina was passed, then the $first_name variable with the value Nina appeared inside the script. If it was necessary to distinguish by what method the data was transferred, then the associative arrays $HTTP_POST_VARS and $HTTP_GET_VARS were used, the keys of which were the names of the transferred variables, and the values were, respectively, the values of these variables. Thus, if the pair first_name=Nina is passed by the GET method, then $HTTP_GET_VARS["first_name"]="Nina".
It is not safe to use the names of passed variables directly in a program. Therefore, it was decided, starting with PHP 4.1.0, to use a special array – $_REQUEST – to access variables transmitted via HTTP requests. This array contains data transferred using the POST and GET methods, as well as using HTTP cookies. This is a superglobal associative array, i.e. its values can be obtained anywhere in the program using the name of the corresponding variable (form element) as a key.
Example 4.2. Let's say we created a form to register participants for a programming correspondence school, as in the example above. Then in the 1.php file that processes this form, you can write the following:
";$str .="You have chosen to study a course on ".$_REQUEST["kurs"];echo $str;?>
Then, if we entered the name “Vasya”, the surname “Petrov” into the form and selected the PHP course among all courses, we will receive the following message on the browser screen:
After the introduction of the $_REQUEST array, the $HTTP_POST_VARS and $HTTP_GET_VARS arrays were renamed $_POST and $_GET, respectively, for consistency, but they themselves did not disappear from use for reasons of compatibility with previous versions of PHP. Unlike their predecessors, the $_POST and $_GET arrays have become super-global, i.e. accessible directly and inside functions and methods.
Let's give an example of using these arrays. Let's say we need to process a form containing input elements named first_name, last_name, kurs (for example, the form.html above). The data was transferred using the POST method, and we do not want to process data transferred by other methods. This can be done as follows:
";$str .= "You have chosen to study a course on ". $_POST["kurs"];echo $str;?>
Then on the browser screen, if we entered the name “Vasya”, the last name “Petrov” and selected the PHP course among all courses, we will see a message, as in the previous example:
Hello, Vasya Petrov! You have chosen to study a PHP course
In order to maintain the ability to process scripts earlier than PHP 4.1.0, the register_globals directive was introduced, allowing or denying access to variables directly by their names. If the register_globals=On parameter is in the PHP settings file, then variables passed to the server using the GET and POST methods can be accessed simply by their names (i.e. you can write $first_name). If register_globals=Off, then you need to write $_REQUEST["first_name"] or $_POST["first_name"], $_GET["first_name"], $HTTP_POST_VARS["first_name"], $HTTP_GET_VARS["first_name"]. From a security point of view, it is better to disable this directive (i.e. register_globals=Off). With the register_globals directive enabled, the arrays listed above will also contain the data passed by the client.
Sometimes you need to know the value of an environment variable, such as the method used to send the request or the IP address of the computer that sent the request. You can get this information using the getenv() function. It returns the value of the environment variable whose name is passed to it as a parameter.
As we have already said, if the GET method is used, then the data is transferred by adding a query string in the form of variable_name=value pairs to the resource URL. Anything after the question mark in the URL can be retrieved using the command
Getenv("QUERY_STRING");
Thanks to this, it is possible to transfer data in some other form using the GET method. For example, you can specify only the values of several parameters using a plus sign, and in the script you can parse the query string into parts, or you can pass the value of just one parameter. In this case, an empty element with a key equal to this value (the entire query string) will appear in the $_GET array, and the “+” character encountered in the query string will be replaced with an underscore “_”.
With the POST method, data is transmitted only using forms, and the user (client) does not see what data is sent to the server. To see them, the hacker must replace our form with his own. Then the server will send the results of processing the incorrect form to the wrong place. To avoid this, you can check the address of the page from which the data was sent. This can be done again using the getenv() function:
Getenv("HTTP_REFERER");
Now is the time to solve the problem formulated at the beginning of the lecture.
(Denver distribution) and you have learned how to write simple programs in PHP, then it’s time to learn how the browser (client) can make requests to the server and receive appropriate responses. Using the example of creating a simple HTML form, we will study the basic principles of such interaction.
If you are already well versed in the Denver directories, you can create any PHP file in a directory convenient for you and start writing code. For those who are not yet confident in their abilities, I advise you to do the following: on the virtual disk with Denver (usually Z) in the home folder, create a lessons folder. Next, in this folder, create another folder - www. This is your working project folder, which will be accessible from your browser's address bar. Reboot Denver so that the created host is registered in the system. Finally, in the www folder, create an index.php file. This will be the main file with your code.
As you can see, this is regular HTML markup, but we named the file index.php, which means that now we can insert any instructions in PHP into the document.
If you now go to http://lessons/ in your browser, you will see the following result:
Fill in the fields (for example: name – Vasya, year of birth – 1990) and click on the “send” button. What do you see? Nothing! Again the same form, only empty. However, do not rush to get upset - take a look at the address bar of your browser. It has changed and now looks something like this:
Http://lessons/index.php?user_name=Vasya&user_year=1990&submit_form=send
This means that the server finally received your data!
Let's figure it out now.
GET method
Firstly, what is an HTML form anyway? This is an interface that allows you to send any data from the client browser to the server. Take a look at your form's attributes: