When getting input from users on the web you really only have these 4 choices: 

1. Session variables
2. GET (this is usually through a query string in a link)
3. POST (the standard method for forms)
4. COOKIE

Registered globals turned off - detecting where input is coming from

In week/lesson #2, we accepted user input without verifying where it was actually coming from. In a real world PHP script, we could take one additional security step. When the PHP setting registered_globals is turned off -- see http://www.php.net/manual/en/security.registerglobals.php -- you will need to validate the source of the user input. The options are: COOKIE, GET, POST. The code below illustrates checking user input from a cookie and is taken from this page: :

<?

if ($_COOKIE['pollanswer'] &&

    !$_POST['pollanswer'] &&

    !$_GET['pollanswer'] ) {

    // Perform other checks to validate the poll answer by the user

    $poll_answer = strip_tags($_COOKIE['pollanswer']);

    print("The value of pollanswer is: <b>$poll_answer</b>");

} else {

   print("Security violation, admin has been alerted.");

   exit;

}

?>

In the above example we are ensuring that the variable $pollanswer is coming from a user's cookie and not from POST or GET to a form on a webpage. How can we make sure our script is working? It's really pretty easy, create a link to the script above (name it poll_test.php) like this:
http://www.yourdomain.com/poll_test.php?pollanswer.php?pollanswer=test 

Working example:
http://www.scriptschool.com/class/106/poll_test.php?pollanswer=test&ra=2

Replace "your domain/path" to the place you uploaded the script above on your server. You should get the "Security violation ..." notice every time you click this link. Why is this happening? Because when click through a query string (the stuff after ? in a link) this uses the GET method. So to be able to not get an error message we'd need to modify the code like this:

<?
if ($_GET['pollanswer'] &&
    !$_POST['pollanswer'] &&
    !$_COOKIE['pollanswer'] ) {
    // Perform other checks to validate the poll answer by the user
    $poll_answer = strip_tags($_GET['pollanswer']);
    print("The value of pollanswer is: <b>$poll_answer</b>");
} else {
   print("Security violation, admin has been alerted.");
   exit;
}
?>

Working example: 
http://www.scriptschool.com/class/106/poll_test.php?pollanswer=test&ra=1 

The script above will now show us the value of $pollanswer without presenting a security violation. Now let's create a simple form to submit to the same script for our 3rd example illustrating the use of the POST method:

Working POST example:

HTML Code:
<form method="POST" action="http://www.scriptschool.com/class/106/poll_test.php">
<input type="text" name="pollanswer" size="20"><input type="submit" value="Submit">
</form>

PHP Code:

<?
if ($_POST['pollanswer'] &&
    !$_GET['pollanswer'] &&
    !$_COOKIE['pollanswer'] ) {
    // Perform other checks to validate the poll answer by the user
    $poll_answer = strip_tags($_POST['pollanswer']);
    print("The value of pollanswer is: <b>$poll_answer</b>");
} else {
   print("Security violation, admin has been alerted.");
   exit;
}
?>

Now if you try to submit to post code above by using the following link you'll get the security violation: http://www.scriptschool.com/class/106/poll_test.php?pollanswer=test&ra=3

Why? Because when you click on the link you are using the GET method and when you submit through the form above you are using the POST method and the code is looking for the POST method variable. Now that you understand how user input can be checked let's go to work on our poll form.

Designing a basic poll form

A poll form is really a basic form with a couple of radio buttons to choose an option. Once the user chooses an option the program must update a file that stores the poll results and then mark that the user has voted so that the user is shown the results instead of an offer to vote on something he has already voted on when the page refreshes. Let's say we are doing a simple yes/no answer poll:

Do you find this Script School course #6 text useful?

HTML Code:

<form method="POST" action="/path/to/mypoll.php">
<input type="radio" value="yes" checked name="pollanswer">Yes&nbsp;<br>
<input type="radio" value="no" name="pollanswer">No <input type="submit" value="Vote">
</form>

As you see the form input pollanswer is being used with the POST method. The action in the form will send the results of the form to the /path/to/mypoll.php which is either the relative or full path on your domain to the mypoll.php script.

Ok, we are ready for to-do assignment #3 which will be building the basic poll form and then submitting to a script which we will call mypoll.php that will receive the form information only. In next week's lesson we'll deal with write the poll results to a file, marking the vote for the user, and then displaying the poll results.

TO-DO Assignment #3: Create you basic poll form and a php script named mypoll.php that will check that the input for the poll comes via POST method.  Decide upon a poll question and at least 3 different poll options.

WEEK 3 discussion and questions - this is where you ask questions about this course material and post your weekly "to-do" assignment.
WEEK 3 Workshop Review Tuesday July 30, 2002 5:00 PM Eastern / 2pm Pacific - we will review this course material in a LIVE IRC workshop. You can get here by using the JAVA link above or by using your favorite IRC client and pointing to: irc.webmasterlive.com #netsurprise
Script School Live WEEK 3 Audio Review Friday Aug 2, 2002 5:00 PM Eastern / 2:00PM Pacific - This is the audio recap for the course material where you can call in and ask Q & A LIVE on the radio
Script School Live CHAT (Java) irc.webmasterlive.com #scriptschool (IRC)

TDavid is co-owner, programmer and webmaster for several sites devoted to programming including his own http://www.tdscripts.com/  He has done custom programming in various programming languages for companies all over the world. Every Friday at 2pm PST you can catch his weekly radio show dedicated to the technical side of webmastering and programming at http://www.scriptschool.com/radio