Handling Forms in PHP (GET & POST)
Handling Forms in PHP
Forms are how users send data to your server, such as a login, a contact message, or a search. PHP receives that data through superglobal arrays ($_GET, $_POST, and $_REQUEST), and your job is to read it, validate it, and use it safely. This lesson shows the safe, modern way to do that.
GET vs POST
HTML forms send data using one of two methods:
- GET appends data to the URL (
page.php?name=Riya). Good for searches and bookmarkable pages; visible and limited in size. - POST sends data in the request body, hidden from the URL. Use it for logins, registrations, and anything that changes data.
<!-- A form that submits with POST -->
<form action="process.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<button type="submit">Login</button>
</form>
Reading form data
PHP places submitted values in $_GET or $_POST, keyed by the input's name attribute.
<?php
// process.php - handle a POST submission.
// Only act when the form was actually submitted via POST.
if ($_SERVER["REQUEST_METHOD"] === "POST") {
// Read input; provide a default if the field is missing.
$username = $_POST["username"] ?? "";
$password = $_POST["password"] ?? "";
echo "You entered: " . htmlspecialchars($username);
}
?>
The ?? operator gives a safe default if the field was not sent, avoiding undefined-index warnings.
Validating input
Never trust data from a form. Always check it before using it.
<?php
$email = $_POST["email"] ?? "";
// trim removes stray spaces; empty checks for missing values.
$email = trim($email);
if ($email === "") {
echo "Email is required.";
} elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo "Please enter a valid email address.";
} else {
echo "Email looks good.";
}
?>
filter_var() with FILTER_VALIDATE_EMAIL is the standard, reliable way to check an email format.
Want to learn this properly?
Join the waitlist for our courses — beginner-friendly, project-first classes in Jalgaon.
Browse coursesEscaping output to prevent XSS
If you echo user input back into a page without escaping it, an attacker could inject script. Always pass user data through htmlspecialchars() before displaying it.
<?php
$comment = $_POST["comment"] ?? "";
// Convert special characters so they display as text, not HTML.
echo "<p>" . htmlspecialchars($comment, ENT_QUOTES, "UTF-8") . "</p>";
?>
This turns <script> into harmless text and is a key habit for safe PHP.
A complete example
<?php
$message = "";
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$name = trim($_POST["name"] ?? "");
if ($name === "") {
$message = "Please enter your name.";
} else {
// Safe to display because we escape it.
$message = "Hello, " . htmlspecialchars($name) . "!";
}
}
?>
<!DOCTYPE html>
<html>
<body>
<form method="post">
<input type="text" name="name">
<button type="submit">Submit</button>
</form>
<p><?php echo $message; ?></p>
</body>
</html>
A note on security
Beyond validation and escaping, real forms should also use a CSRF token to confirm the request came from your own page, and any data going into a database must use prepared statements (covered in the PHP + MySQL CRUD lesson). Treat all form input as untrusted by default.
Common mistakes
- Trusting form data without validation. Always check and clean input on the server.
- Echoing input without
htmlspecialchars(), opening the door to XSS attacks. - Reading
$_POST["field"]without checking it exists, causing undefined-index warnings. Use?? "". - Using GET for sensitive data like passwords, which then appear in the URL and logs.
FAQ
Should I use GET or POST? Use POST for anything that changes data or is sensitive (logins, registrations). Use GET for searches and shareable, bookmarkable pages.
What does htmlspecialchars do?
It converts characters like <, >, and " into safe HTML entities so user input is displayed as text rather than executed as markup.
Why validate on the server when I have JavaScript checks? Browser checks improve user experience but can be bypassed. Server-side validation is the real safeguard.
Keep learning
Back to the PHP & MySQL hub, revisit Object-Oriented Programming in PHP, or continue to Sessions & Cookies in PHP.
Build secure forms with mentor guidance. Join the waitlist for the PHP course at Infoplanet in Jalgaon.
Want to learn this properly?
Join the waitlist for our courses — beginner-friendly, project-first classes in Jalgaon.
Browse coursesFounder, Infoplanet
Atul Kabra founded Infoplanet in 2001 and has spent over two decades teaching programming — C, C++, Java, databases and more — to students across Maharashtra.
Related guides
Arrays in PHP: Indexed, Associative & Multidimensional
Understand PHP arrays - indexed, associative, and multidimensional - and the most useful array functions, with examples for adding, reading, and looping over data.
Control Flow in PHP: if, switch & Loops
Make PHP code decide and repeat with control flow: if/else, switch, the match expression, and the for, while, and foreach loops, with clear examples.
Functions in PHP: Define, Call & Return
Understand PHP functions: defining and calling them, parameters with defaults, named arguments, return values, type hints, and variable scope, with examples.
