The term $_POST is quite familiar territory when one works with forms in PHP. This tutorial talks about what $_POST does, how to use it, and all other things one should know to make the most out of this superglobal in PHP.
In the end, one will go forth with confidence while handling form data with $_POST in applications.
Definition of $_POST in PHP
In PHP, the superglobal variable $_POST collects data sent to the server via the HTTP POST method. In other words, it means that when a user submits a form through your website, the data that the user enters into that form gets captured after submission.
You can then go on to access this data and manipulate it to achieve many ends, such as saving user information into a database or even processing payments. $_POST is particularly useful because it can support a high volume of data, whereas the $_GET method has size limitations.
In the following section, you will learn how you can create an HTML form to make use of the $_POST superglobal, and how PHP deals with that information once it’s submitted.
Setting Up an HTML Form to Use with $_POST
In order to implement the use of $_POST, the first thing you need to do is have an HTML form for which the method attribute is set to POST.
Here is an example:
<form action="process_form.php" method="POST">
<label for="name">Name:</label>
<input id="name" name="name" type="text" />
<label for="email">Email:</label>
<input type="email" id="email" name="email">
<input type="submit" value="Submit">
</form>Here, the form method is POST, meaning whatever the user enters in this form will be securely forwarded to the server when they click “Submit.” Now let’s see how PHP fetches this data and its handling.
Accessing Form Data with PHP $_POST
So in the next step, PHP processes the submitted data via the superglobal $_POST after form submission.
This superglobal works as an associative array where the name attribute of each input field will serve as a key. For example, you can get the user name and email that a user enters through the form above by the following PHP code:
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = $_POST['name'];
$email = $_POST['email'];
echo "Name: " . htmlspecialchars($name) . "<br>";
echo "Email: " . htmlspecialchars($email);
}Here we use htmlspecialchars(), which helps in sanitizing the data to avoid XSS attacks. You will see about securing the $_POST data as we move further, but here you can see how easily you pull data directly out of the submission.
Below, we will discuss how to secure the data from $_POST.
The Security of $_POST Data
While the superglobal variable $_POST indeed makes it easy to handle forms, one must ensure that the data is secure, as malicious attacks can be carried out using this variable.
Since $_POST data is directly obtained from the user, it may contain anything—including harmful scripts. Here are some tips to keep your data safe:
- Sanitize Inputs: The
htmlspecialchars()orfilter_var()functions are available to sanitize inputs. - Data Validation: Verify information to ensure that it is as expected before the use of that information. Example: one may want to verify an email address is valid.
- Database Usage with Prepared Statements: Use prepared statements if you are going to store data from
$_POSTin a database; this will prevent any SQL injection attacks.
For example, here’s how you might validate an email address submitted via $_POST:
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
if ($email === false) {
echo "Invalid email format.";
} else {
echo "Email is valid.";
}
}You cleaned and validated your data, so the data fetched through $_POST will be safe for further processing.
In the following paragraphs, we’ll explore some common uses of $_POST and discuss why it’s a reliable option for handling sensitive data.
Why Use PHP $_POST?
Because the data sent by $_POST is not visible in the URL, it is preferable for handling personal or sensitive information. If you have to process information like user passwords, payment information, or any other private data, it is usually better to use either POST or other methods than GET because $_POST is just safer than $_GET.
$_POST is also better in terms of handling big data. $_GET is limited — it has a restriction on the amount of data you can send, so $_POST ensures that even if you’re sending large payloads, it provides a reliable way to send it, especially when dealing with forms with many form fields or when the user is uploading files.
So, we will now look at a few examples of how to use $_POST.
Example of Using PHP $_POST
Following are a few examples that show the use of $_POST in PHP. To solidify your understanding, here are some examples demonstrating how to use $_POST in PHP.
Suppose you are creating a contact form in which users enter their name, email, and message. With the help of $_POST, you can access the submitted data and show it easily:
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = htmlspecialchars($_POST['name']);
$email = htmlspecialchars($_POST['email']);
$message = htmlspecialchars($_POST['message']);
echo "Thank you, $name. We've received your message: $message";
}This example shows how you can request, and even thank them for, user input within a very short period of time. Just remember to always clean data with htmlspecialchars() to avoid any potential problems.
Finally, we summarize with some best practices in using the superglobal $_POST.
Wrapping Up
If you want to process data from forms in PHP, you should use $_POST because it can transmit larger and much more sensitive information.
$_POST data is not visible in the URL like $_GET, therefore, using $_POST is better for handling passwords, payments, sensitive information, etc.
You now have a good understanding of PHP $_POST. You are ready to use it to safely manage user input in your PHP applications. You can always practice on real-world projects to familiarize yourself with a concept, and before long, you will be ruling over how to handle form data!