Best way to handle forms?

[Andrew R]

Hi

 

What is the best way to handle forms taking into consideration security and efficiently -  For example is it better to have the html form on one page and then do the php processing on another?

 

Or is it better to write a function for the html form and a function for the processing and call them into one page. 

 

For example

 

 

 

<?php function edit_form_pro(); { 

PHP PROCESSING FUNCTIONS HERE

} ?>

<?php function edit_form(); { ?>
<html goes here>

<?php } ?>

 

Many thanks.

[JonnoTheDev]

Security terms - doesn't make a difference where the validation takes place.

It all depends on the structure of your code. You may have objects taking care of validation. The validation code may be in an included file used on various pages.

 

If its a simple form. I would place the validation code right at the top of the page. This makes it easier to display the errors on the same page and also redirect the user after the form has been submitted if required.

[waynew]

Usability wise, I reckon having the form process on the one page is best as you cant output what they entered if an error exists or not, thereby not forcing them to re-type everything in again.

 

Example:

 

if(sizeof($errors) > 0){
//echo out POST values into textfield etc - while remembering to clean them 
}

[Andrew R]

Thanks very much.

 

Writing the form html as a function and the php process of the form as a function in separate files and including them in one page a suitable way to handle forms or is that completely over engineering it. 

 

Should the form_process() and the form_html() functions be included in the same file such as form.inc.php and then each part of the function included in a separate file such as form.php recommended? 

 

[Andrew R]

....like the following scripts below...or is the following way far to bloated?

 

form.inc.php

<?php function form_html(); { ?>
<form action="<? $_SERVER['PHP_SELF']; ?>" method="post">
  <label>
  Name
  <input name="name" type="text" id="name" />
  </label>
  <br />
City: 
<label>
<input name="city" type="text" id="city" />
</label>
<p>
  <label>
  <input type="submit" name="Submit" value="Submit" />
  </label>
</p>
</form>
<?php } function form_process() { 
$name  = $_POST['name'];
$name  = $_POST['city'];
////INSERT INTO DATABASE HERE
}?>

 

 

form.php

<?php require("form.inc.php");
if(isset($_POST['submit']))  {
form_process();
header("Location: index.php");
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<?php form_html(); ?>
</body>
</html>

[kickstart]

Hi

 

Personally I would put the form and the code to process it in one place. Any errors probably mean resending the form to be corrected, and possibly any validation might require the same basic data as was required for generating the form (ie, an array of place names used to populate a drop down list, but also used to validate that the returned selection was one on the original list).

 

There are exceptions. Code that is used in multiple forms would be best in an include. And if you want to validate the form on the fly with Ajax as well as when returned then if would make sense to have a shared validation include used in both the main form script and the ajax validation script.

 

All the best

 

Keith