A quick and simple PHP form processing script

Tutorial files:

The form

There are a few basic points to note in the form's HTML. First, the opening <form> tag's method attribute should be set to "post" and the action attribute should point to the processing script's location. In the following example, the script is in the same directory as the page containing the form.

<form method="post" action="form.php">

The script

Looking at the PHP, you can see that the basic syntax of PHP mostly consists of commands followed by semicolons. There are also a few curly braces and parentheses, and these will be discussed later.

Now let's begin by looking at the following piece of PHP.

//import form information
$name = $_POST['name'];
$email = $_POST['email'];
$message = $_POST['message'];


The first line, //import form information, is a comment that exists only to document the script. It is very similar to using <!-- --> in HTML. The difference here is that // only comments out one line of code. To comment out multiple lines of PHP, use /* and */.

Here the script is grabbing the input of the form and creating variables and populating them with the information submitted in the form. Taking $email = $_POST['email']; as an example, variable "$email" is created and populated with the text from the incoming form's "email" field, which PHP places in the $_POST['email'] variable. When using $_POST variables, make sure that the incoming form used method="post" in its opening form tag. If your form uses method="get", then modify the script by using $_GET['email'].

You could simply access the incoming form's content by directly accessing the $_POST variables. However, assigning the form information to standard variables, as in the example above, allows for the use of a more simple syntax throughout the rest of the script, and it also allows us to manipulate the contained information with greater flexibility.

One final bit of PHP here,$message=stripslashes($message);, cleans up the message text. Without this line, the message text could contain slashes in front of certain characters.

Simple form validation
check to see if an email and message were entered
//if no message entered and no email entered print an error
if (empty($message) && empty($email)){
print "No email address and no message was entered. <br>Please include an email and a message";
//if no message entered send print an error
elseif (empty($message)){
print "No message was entered.<br>Please include a message.<br>";
//if no email entered send print an error
elseif (empty($email)){
print "No email address was entered.<br>Please include your email. <br>";
//if the form has both an email and a message
else {

This section of PHP does some simple validation of form input by checking to see if there was anything was put into the form's email and message fields. This section contains three subsections to test whether or not either or both of the required form fields, email and message, were filled out. The first section checks to see if both the message and email were empty. If so, the script outputs an error message, informing the users that they didn't include both of the required fields. The syntax of an if statement in PHP is fairly simple. After "if" the condition to be tested for is enclosed in parentheses. In this first instance this condition is empty($message) && empty($email). Using the empty function, the script first checks to see if there was a message entered. The && characters is an "and" operator that connects the first condition with the second, empty($email), which checks to see if an email was entered. Translated into English, this statement essential says that "If there is no email and there is no message perform the following action." The action to be performed is contained within curly braces. In this case an error message is printed.

Similarly, the following two elseif statements check to see if only the message or email fields were left empty, printing an error message if either is the case. We don't have to worry about duplicate error messages (in the case that both the email and message fields were left blank, for example), since, if any of the conditions of a chain of if or elseif statements are found to be true, the remaining statements are ignored.

Finally, if none of the tests contained within any of the preceding if or elseif statements were found to be true, then the PHP contained within the else statement is executed. In this sample script it is:

//Thank the user by name if they entered a name
if (!empty($name)) {
print "<b>Thank you $name.</b><br>";
for ($i=0;$i<count($types);$i++){
$ctypes= $ctypes . "\n$types[$i]";
$screen_ctypes= $screen_ctypes . "\n$types[$i]";
print "<p><b>The following message has been sent</b>: <br>$message<br></p><p><b>Comment type(s):</b><br>$screen_ctypes</p>";
$body= $message . ' Comment type(s)' . $ctypes;

//mail the form contents
mail( "your-email@indiana.edu", "Web site comments", $body, "From: $email" );

The first line is another comment. The next few lines print out a simple "thank you" message. The first three of these lines are fairly straightforward. The script checks to see if the $name variable is not empty. If it isn't empty, then the script prints a line thanking the user by name.

Also, since the form could contain multiple comment types, we need to check to see if multiple comment types were entered and print each of them. Without going into details, this is essentially what lines 5-8 accomplish. Next, the script outputs a message to the screen containing the text that was input.

The next line, $body= $message . ' Comment type(s)' . $ctypes;, concatenates (pastes together) the contents of the $message variable (which is the text from the form's textarea), the text " Comment type(s)", and the contents of the $ctypes variable (which is a list of the comment types). The combined string of text resulting from this concatenation is then stored in the $body variable.

The final line sends the form contents to a specified email address. The four strings contained within the parentheses specify, in order, the recipient of the email, the subject line of the sent email, the body of the email, and the address of the sender.

You may have noticed the following bit of code near the beginning of the script:

$page = "http://ella.slis.indiana.edu/~PATH/TO/FORM";
if (!ereg($page, $_SERVER['HTTP_REFERER'])){
echo "Invalid referer";

This section provides some very basic security by ensuring that only forms from a certain page can send mail using this script. Without these few lines, anyone who knew the URL of your form script could use the script to send mail. To make this script work for your form, simply set the value of the $page variable to the URL of your form (i.e. something like $page = "http://ella.slis.indiana.edu/~arsteven/L571/form.html";.

While the PHP outlined above does provide some security, it is only of a rudimentary level. For heavily trafficked sites, it is a good idea to use one of many free form processing scripts that provide stronger security. A couple examples of such scripts are: