Parameter Passing

Static web pages are a rarity nowadays. Practically any more or less big web site asks for some data from the users. The data supplied by the users are passed as parameters to the specified script using HTML forms. The following example shows how to create a form for entering a user name:

The <form> tag takes the following two parameters:

• Action — Specifies the name or the complete URL to the script file to which the form parameters are to be passed.
• Method — The method used to pass the parameters. There are two methods for doing this: get and post. We will consider in detail both of these methods, as you should have clear understanding of how they work.

Controls whose values are to be passed to the script are created between the <form> and </form> tags. In this example we created only one input field: the <input> tag. Its name was set to UserName.

Now we have to somehow display the user name entered into the form. The simplest way to do this is to use a $UserName variable in the param.php file. Although we did not create this variable, it is created by the interpreter before the script is launched.

To see how the corresponding parameter is created, we will write a param.php file containing the form and the processing code. Thus, the parameters will be passed to the same script used to enter the data. An example of such script is shown in the next code

<HTML>
<HEAD> </HEAD>
<BODY>

<form action="param.php" method="get">
 User Name: <input name="UserName">
</form>

<?php
 if ($_GET[UserName] != "")
  {
   print("<P>Your user name is: ");
   print($_GET[UserName]);
  } 
?>
</BODY>
<HTML>

When this form is loaded into a browser, the $UserName variable will be empty, because no parameters have been passed and the interpreter has not created anything. Entering a user name into the field and pressing the <Enter> key will reload the form's contents, but not the $UserName variable will contain the name entered by the user. Based on these two facts, we can perform the following check: if the variable is not empty, the form has received the parameter, which can be processed. In our example, we simply display the name entered.

Forms can also be used to pass hidden parameters. Suppose that in addition to the user name, you want to pass some other value that should not show on the form. You create a hidden input field. For example, the following code creates a form with two input fields: UserName and Password. We, however, will hide the Password field, by setting its type parameter to hidden.

<form action="param.php" method="get">
User Name: 
 <input name="UserName">
 <input type="hidden" name="Password" value="qwerty">
</form>

Although the Password field is hidden, it does hold a value.In this way we can exchange data between scripts. Now, when the parameters are passed, the param.php script will have two variables – $UserName and $Password – holding values.

But here is the fly in the ointment: Never send any important data in this way. Although the password field does not show on the form, the HTML source code of the form can be viewed in any browser. For example, in Internet Explorer you can do this by executing the View/Source menu sequence. Thus, anyone entertaining nefarious intention can see this parameter in the source and change if at wish. This can be done by saving the script's source code on the local hard drive, modifying the necessary parameters (in this case, changing the Password parameter to the value desired and changing the action field of the form to the complete URL) and then running the form. If you don't know which data are important, do not use this parameter passing method at all.

The way parameters operate can be modified using the register_globals directive in the php.ini configuration file. If this directive is set to , parameters will be passed using global variables; otherwise user data will have to be read through specialized global arrays. But global variables are easier and more convenient to work with, so I see no reason disabling them.

Now we will discuss the parameter passing methods in more detail. As was already mentioned, there are two such methods: GET and POST. In either case the interpreter creates variable with the same names, but the methods do differ.