If the REQUEST_METHOD is POST, then the form has been submitted - and it should be validated.If it has not been submitted, skip the validation and display a blank form.However, in the example above, all input fields are optional.

validating with login server-43validating with login server-15

A hacker can redirect the user to a file on another server, and that file can hold malicious code that can alter the global variables or submit the form to another address to save the user data, for example.

The first thing we will do is to pass all variables through PHP's htmlspecialchars() function.

When we use the htmlspecialchars() function; then if a user tries to submit the following in a text field: - this would not be executed, because it would be saved as HTML escaped code, like this: <script>location.href(' The code is now safe to be displayed on a page or inside an e-mail.

We will also do two more things when the user submits the form: The next step is to create a function that will do all the checking for us (which is much more convenient than writing the same code over and over again). Now, we can check each $_POST variable with the test_input() function, and the script looks like this: Notice that at the start of the script, we check whether the form has been submitted using $_SERVER["REQUEST_METHOD"].

The next step is to make input fields required and create error messages if needed.

Forms are the traditional way for most web applications to gather significant information from the user.Whether it's a search form, a login screen or a multi-page registration wizard, Tapestry uses standard HTML forms, with HTTP POST actions by default. These pages will show how to process PHP forms with security in mind.Proper validation of form data is important to protect your form from hackers and spammers! And when the page loads, the Java Script code will be executed (the user will see an alert box).This is just a simple and harmless example how the PHP_SELF variable can be exploited.Be aware of that any Java Script code can be added inside the tag!