CSE 190M Web Programming

Lecture 9: More Forms; POST

Reading: 6.3 - 6.5

Except where otherwise noted, the contents of this document are Copyright 2012 Marty Stepp, Jessica Miller, Victoria Kirst and Roy McElmurry IV. All rights reserved. Any redistribution, reproduction, transmission, or storage of part or all of the contents in any form is prohibited without the author's expressed written permission.

Problems with submitting data

<label>Name: <input type="text" /></label>
<label><input type="radio" name="cc" /> Visa</label>
<label><input type="radio" name="cc" /> MasterCard</label> <br />
Favorite Star Trek captain:
<select name="startrek">
	<option>James T. Kirk</option>
	<option>Jean-Luc Picard</option>
</select> <br />

• this form submits to our handy params.php tester page
• the form may look correct, but when you submit it...
• [cc] => on, [startrek] => Jean-Luc Picard

The value attribute

<label>Name: <input type="text" name="personname" /></label>
<label><input type="radio" name="cc" value="visa" /> Visa</label>
<label><input type="radio" name="cc" value="mastercard" /> MasterCard</label> <br />
Favorite Star Trek captain:
<select name="startrek">
	<option value="kirk">James T. Kirk</option>
	<option value="picard">Jean-Luc Picard</option>
</select> <br />

• name attribute sets what the name of the data will be when submitted
• value attribute sets what will be submitted if a control is selected
• [personname] => "", [cc] => visa, [startrek] => picard

URL-encoding

• certain characters are not allowed in URL query parameters:
  • examples: " ", "/", "=", "&"
• when passing a parameter, it is URL-encoded (reference table)
  • "Webdev's cool!?" → "Webdev%27s+cool%3F%21"
• you don't usually need to worry about this:
  • the browser automatically encodes parameters before sending them
  • the PHP $_GET and $_POST arrays automatically decode them
  • ... but occasionally the encoded version does pop up (e.g. in Chrome Dev Tools)

Submitting data to a web server

• though browsers mostly retrieve data, sometimes you want to submit data to a server
  • Hotmail: Send a message
  • Flickr: Upload a photo
  • Google Calendar: Create an appointment
• the data is sent in HTTP requests to the server
  • with HTML forms
  • with Ajax (seen later)
• the data is placed into the request as parameters

HTTP GET vs. POST requests

• GET : asks a server for a page or data
  • if the request has parameters, they are sent in the URL as a query string
• POST : submits data to a web server and retrieves the server's response
  • if the request has parameters, they are embedded in the request's HTTP packet, not the URL
• For submitting data to be saved, POST is more appropriate than GET
  • GET requests embed their parameters in their URLs
  • URLs are limited in length (~ 1024 characters)
  • URLs cannot contain special characters without encoding
  • private data in a URL can be seen or modified by users

Form POST example

<form action="http://foo.com/app.php" method="post">
	<div>
		Name: <input type="text" name="name" /> <br />
		Food: <input type="text" name="meal" /> <br />
		<label>Meat? <input type="checkbox" name="meat" /></label> <br />
		<input type="submit" />
	<div>
</form>

GET or POST?

if ($_SERVER["REQUEST_METHOD"] == "GET") {
	# process a GET request
	...
} elseif ($_SERVER["REQUEST_METHOD"] == "POST") {
	# process a POST request
	...
}

• some PHP pages process both GET and POST requests
• to find out which kind of request we are currently processing,
  look at the global $_SERVER array's "REQUEST_METHOD" element

"Superglobal" arrays

• PHP superglobal arrays contain information about the current request, server, etc.:
• These are special kinds of arrays called associative arrays.

Associative arrays

$blackbook = array();
$blackbook["marty"] = "206-685-2181";
$blackbook["stuart"] = "206-685-9138";
...
print "Marty's number is " . $blackbook["marty"] . ".\n";

• associative array (a.k.a. map, dictionary, hash table) : uses non-integer indexes
• associates a particular index "key" with a value
  • key "marty" maps to value "206-685-2181"
• syntax for embedding an associative array element in interpreted string:

  print "Marty's number is {$blackbook['marty']}.\n";

Uploading files

<form action="http://webster.cs.washington.edu/params.php"
      method="post" enctype="multipart/form-data">
	Upload an image as your avatar:
	<input type="file" name="avatar" />
	<input type="submit" />
</form>

• add a file upload to your form as an input tag with type of file
• must also set the enctype attribute of the form

Processing an uploaded file in PHP

• uploaded files are placed into global array $_FILES, not $_POST
• each element of $_FILES is itself an associative array, containing:
  • name      : the local filename that the user uploaded
  • type      : the MIME type of data that was uploaded, such as image/jpeg
  • size      : file's size in bytes
  • tmp_name  : a filename where PHP has temporarily saved the uploaded file
    • to permanently store the file, move it from this location into some other file

Uploading details

<input type="file" name="avatar" />

• example: if you upload borat.jpg as a parameter named avatar,
  • $_FILES["avatar"]["name"] will be "borat.jpg"
  • $_FILES["avatar"]["type"] will be "image/jpeg"
  • $_FILES["avatar"]["tmp_name"] will be something like "/var/tmp/phpZtR4TI"

Processing uploaded file, example

$username = $_POST["username"];
if (is_uploaded_file($_FILES["avatar"]["tmp_name"])) {
	move_uploaded_file($_FILES["avatar"]["tmp_name"], "$username/avatar.jpg");
	print "Saved uploaded file as $username/avatar.jpg\n";
} else {
	print "Error: required file not uploaded";
}

• functions for dealing with uploaded files:
  • is_uploaded_file(filename)
    returns TRUE if the given filename was uploaded by the user
  • move_uploaded_file(from, to)
    moves from a temporary file location to a more permanent file
• proper idiom: check is_uploaded_file, then do move_uploaded_file

Including files: include

include("filename");

include("header.html");
include("shared-code.php");

• inserts the entire contents of the given file into the PHP script's output page
• encourages modularity
• useful for defining reused functions needed by multiple pages

What is form validation?

• validation: ensuring that form's values are correct
• some types of validation:
  • preventing blank values (email address)
  • ensuring the type of values
    • integer, real number, currency, phone number, Social Security number, postal address, email address, date, credit card number, ...
  • ensuring the format and range of values (ZIP code must be a 5-digit integer)
  • ensuring that values fit together (user types email twice, and the two must match)

A real form that uses validation

Client vs. server-side validation

Validation can be performed:

• client-side (before the form is submitted)
  • can lead to a better user experience, but not secure (why not?)
• server-side (in PHP code, after the form is submitted)
  • needed for truly secure validation, but slower
• both
  • best mix of convenience and security, but requires most effort to program

An example form to be validated

<form action="http://foo.com/foo.php" method="get">
	<div>
		City:  <input name="city" /> <br />
		State: <input name="state" size="2" maxlength="2" /> <br />
		ZIP:   <input name="zip" size="5" maxlength="5" /> <br />
		<input type="submit" />
	</div>
</form>

• Let's validate this form's data on the server...

One problem: Users submitting HTML content

• A user might submit information to a form that contains HTML syntax
• If we're not careful, this HTML will be inserted into our pages (why is this bad?)

The htmlspecialchars function

• text from files / user input / query params might contain <, >, &, etc.
• we could manually write code to strip out these characters
• better idea: allow them, but escape them

$text = "<p>hi 2 u & me</p>";
$text = htmlspecialchars($text);   # "&lt;p&gt;hi 2 u &amp; me&lt;/p&gt;"

Why use classes and objects?

• PHP is a primarily procedural language
• small programs are easily written without adding any classes or objects
• larger programs, however, become cluttered with so many disorganized functions
• grouping related data and behavior into objects helps manage size and complexity

Constructing and using objects

# construct an object
$name = new ClassName(parameters);

# access an object's field (if the field is public)
$name->fieldName

# call an object's method
$name->methodName(parameters);

$zip = new ZipArchive();
$zip->open("moviefiles.zip");
$zip->extractTo("images/");
$zip->close();

• the above code unzips a file
• test whether a class is installed with class_exists

Object example: Fetch file from web

# create an HTTP request to fetch student.php
$req = new HttpRequest("student.php", HttpRequest::METH_GET);
$params = array("first_name" => $fname, "last_name" => $lname);
$req->addPostFields($params);

# send request and examine result
$req->send();
$http_result_code = $req->getResponseCode();   # 200 means OK
print "$http_result_code\n";
print $req->getResponseBody();

• PHP's HttpRequest object can fetch a document from the web

Class declaration syntax

class ClassName {
	# fields - data inside each object
	public $name;    # public field
	private $name;   # private field

	# constructor - initializes each object's state
	public function __construct(parameters) {
		statement(s);
	}

	# method - behavior of each object
	public function name(parameters) {
		statements;
	}
}

• inside a constructor or method, refer to the current object as $this

Class example

<?php
class Point {
	public $x;
	public $y;

	# equivalent of a Java constructor
	public function __construct($x, $y) {
		$this->x = $x;
		$this->y = $y;
	}

	public function distance($p) {
		$dx = $this->x - $p->x;
		$dy = $this->y - $p->y;
		return sqrt($dx * $dx + $dy * $dy);
	}

	# equivalent of Java's toString method
	public function __toString() {
		return "(" . $this->x . ", " . $this->y . ")";
	}
}
?>

Class usage example

<?php
# this code could go into a file named use_point.php
include("Point.php");

$p1 = new Point(0, 0);
$p2 = new Point(4, 3);
print "Distance between $p1 and $p2 is " . $p1->distance($p2) . "\n\n";

var_dump($p2);   # var_dump prints detailed state of an object
?>

Distance between (0, 0) and (4, 3) is 5

object(Point)[2]
  public 'x' => int 4
  public 'y' => int 3

• $p1 and $p2 are references to Point objects

Basic inheritance

class ClassName extends ClassName {
	...
}

class Point3D extends Point {
	public $z;

	public function __construct($x, $y, $z) {
		parent::__construct($x, $y);
		$this->z = $z;
	}

	...
}

• the given class will inherit all data and behavior from ClassName

Static methods, fields, and constants

static $name = value;    # declaring a static field
const $name = value;     # declaring a static constant

# declaring a static method
public static function name(parameters) {
	statements;
}

ClassName::methodName(parameters);  # calling a static method (outside class)
self::methodName(parameters);       # calling a static method (within class)

• static fields/methods are shared throughout a class rather than replicated in every object

Abstract classes and interfaces

interface InterfaceName {
	public function name(parameters);
	public function name(parameters);
	...
}

class ClassName implements InterfaceName { ...

abstract class ClassName {
	abstract public function name(parameters);
	...
}

• interfaces are supertypes that specify method headers without implementations
  • cannot be instantiated; cannot contain function bodies or fields
  • enables polymorphism between subtypes without sharing implementation code
• abstract classes are like interfaces, but you can specify fields, constructors, methods
  • also cannot be instantiated; enables polymorphism with sharing of implementation code