$_POST

Last updated on

The term $_POST is quite familiar territory when one works with forms in PHP. This tutorial talks about what $_POST does, how to use it, and all other things one should know to make the most out of this superglobal in PHP.

In the end, one will go forth with confidence while handling form data with $_POST in applications.

Definition of $_POST in PHP

In PHP, the superglobal variable $_POST collects data sent to the server via the HTTP POST method. In other words, it means that when a user submits a form through your website, the data that the user enters into that form gets captured after submission.

You can then go on to access this data and manipulate it to achieve many ends, such as saving user information into a database or even processing payments. $_POST is particularly useful because it can support a high volume of data, whereas the $_GET method has size limitations.

In the following section, you will learn how you can create an HTML form to make use of the $_POST superglobal, and how PHP deals with that information once it's submitted.

Setting Up an HTML Form to Use with $_POST

In order to implement the use of $_POST, the first thing you need to do is have an HTML form for which the method attribute is set to POST.

Here is an example:  

<form action="process_form.php" method="POST">
    <label for="name">Name:</label>
    <input id="name" name="name" type="text" />
    <label for="email">Email:</label>
    <input type="email" id="email" name="email">
    <input type="submit" value="Submit">
</form>

Here, the form method is POST, meaning whatever the user enters in this form will be securely forwarded to the server when they click "Submit." Now let's see how PHP fetches this data and its handling.

Accessing Form Data with PHP $_POST

So in the next step, PHP processes the submitted data via the superglobal $_POST after form submission.

This superglobal works as an associative array where the name attribute of each input field will serve as a key. For example, you can get the user name and email that a user enters through the form above by the following PHP code:  

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $name = $_POST['name'];
    $email = $_POST['email'];

    echo "Name: " . htmlspecialchars($name) . "<br>";
    echo "Email: " . htmlspecialchars($email);
}

Here we use htmlspecialchars(), which helps in sanitizing the data to avoid XSS attacks. You will see about securing the $_POST data as we move further, but here you can see how easily you pull data directly out of the submission.

Below, we will discuss how to secure the data from $_POST.

The Security of $_POST Data

While the superglobal variable $_POST indeed makes it easy to handle forms, one must ensure that the data is secure, as malicious attacks can be carried out using this variable.

Since $_POST data is directly obtained from the user, it may contain anything—including harmful scripts. Here are some tips to keep your data safe:  

  • Sanitize Inputs: The htmlspecialchars() or filter_var() functions are available to sanitize inputs.
  • Data Validation: Verify information to ensure that it is as expected before the use of that information. Example: one may want to verify an email address is valid.
  • Database Usage with Prepared Statements: Use prepared statements if you are going to store data from $_POST in a database; this will prevent any SQL injection attacks.

For example, here's how you might validate an email address submitted via $_POST:

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
    if ($email === false) {
        echo "Invalid email format.";
    } else {
        echo "Email is valid.";
    }
}

You cleaned and validated your data, so the data fetched through $_POST will be safe for further processing.

In the following paragraphs, we’ll explore some common uses of $_POST and discuss why it’s a reliable option for handling sensitive data.  

Why Use PHP $_POST?

Because the data sent by $_POST is not visible in the URL, it is preferable for handling personal or sensitive information. If you have to process information like user passwords, payment information, or any other private data, it is usually better to use either POST or other methods than GET because $_POST is just safer than $_GET.

$_POST is also better in terms of handling big data. $_GET is limited — it has a restriction on the amount of data you can send, so $_POST ensures that even if you're sending large payloads, it provides a reliable way to send it, especially when dealing with forms with many form fields or when the user is uploading files.

So, we will now look at a few examples of how to use $_POST.

Example of Using PHP $_POST

Following are a few examples that show the use of $_POST in PHP. To solidify your understanding, here are some examples demonstrating how to use $_POST in PHP.  

Suppose you are creating a contact form in which users enter their name, email, and message. With the help of $_POST, you can access the submitted data and show it easily:  

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $name = htmlspecialchars($_POST['name']);
    $email = htmlspecialchars($_POST['email']);
    $message = htmlspecialchars($_POST['message']);
    echo "Thank you, $name. We've received your message: $message";
}

This example shows how you can request, and even thank them for, user input within a very short period of time. Just remember to always clean data with htmlspecialchars() to avoid any potential problems.

Finally, we summarize with some best practices in using the superglobal $_POST.  

Wrapping Up

If you want to process data from forms in PHP, you should use $_POST because it can transmit larger and much more sensitive information.

$_POST data is not visible in the URL like $_GET, therefore, using $_POST is better for handling passwords, payments, sensitive information, etc.

You now have a good understanding of PHP $_POST. You are ready to use it to safely manage user input in your PHP applications. You can always practice on real-world projects to familiarize yourself with a concept, and before long, you will be ruling over how to handle form data!

Frequently Asked Questions (FAQs)

  • What is PHP $_POST and how does it work?

    PHP $_POST is a superglobal array that collects data sent via the HTTP POST method. When a user submits a form with the method="POST", the data is stored in $_POST and can be accessed as an associative array, where the name attribute of each form field becomes a key. This method is ideal for securely handling larger data volumes without exposing data in the URL.
  • How do I retrieve data from $_POST in PHP?

    To retrieve data from $_POST, access it like an associative array. Here’s a quick example:
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        $name = $_POST['name'];
        $email = $_POST['email'];
        echo "Name: " . htmlspecialchars($name);
        echo "Email: " . htmlspecialchars($email);
    }
    
  • Why should I use $_POST instead of $_GET?

    Use $_POST when handling sensitive data like passwords, payment details, or large data inputs. Unlike $_GET, $_POST data doesn’t appear in the URL, providing more security and supporting larger data volumes.
  • How can I validate $_POST data in PHP?

    To validate $_POST data, use PHP functions like filter_var() to ensure data is safe and in the correct format. Here’s an example to validate an email:
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        $email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
        if ($email === false) {
            echo "Invalid email format.";
        } else {
            echo "Email is valid.";
        }
    }
    
  • How do I sanitize $_POST data to prevent security issues?

    Use htmlspecialchars() to escape HTML characters, preventing XSS attacks. Here’s a quick example:
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        $name = htmlspecialchars($_POST['name']);
        $email = htmlspecialchars($_POST['email']);
        echo "Safe Name: " . $name;
        echo "Safe Email: " . $email;
    }
    
  • Can I use $_POST for file uploads in PHP?

    $_POST itself doesn’t handle file uploads. For file uploads, use the $_FILES superglobal along with $_POST for handling any additional form data. Here’s how you can manage file uploads:
    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES['fileToUpload'])) {
        $fileName = $_FILES['fileToUpload']['name'];
        $fileTmpName = $_FILES['fileToUpload']['tmp_name'];
        $uploadDir = "uploads/";
        move_uploaded_file($fileTmpName, $uploadDir . basename($fileName));
        echo "File uploaded successfully.";
    }
    
  • Is $_POST data automatically secured?

    No, $_POST data is not automatically secured. You need to sanitize and validate $_POST inputs to prevent security issues like SQL injection and XSS attacks. Always use methods like htmlspecialchars() and prepared statements when handling $_POST data.
  • How do I handle empty fields in a $_POST request?

    Use PHP’s empty() or isset() functions to check if a field has been filled.
    Here’s an example:
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        if (!empty($_POST['name'])) {
            $name = $_POST['name'];
            echo "Name: " . htmlspecialchars($name);
        } else {
            echo "Name field is required.";
        }
    }
    
Share on: