Home Forum Articles Tutorials Scripts LINKS News Mentors TOOLS Register

Getting Input in PHP Scripts

Experts Round Table

Scripting Tips from NicholasSolutions

Security Note: Do not trust user input!

Or in the words of ERT Mentor rdivilbiss, "all input is evil."

In the examples below, you will see statements like

echo $_GET['MyVariableName']; 

which are for the sake of example only. While it is fine to use statements like this for quick testing purposes, you should never directly echo or otherwise process user input in a production environment, without first verifying that it contains the type of information you expect. Failure to validate/filter user input can open your your site up to serious security vulnerabilities, including (but not limited to!) code injection and cross site scripting (XSS).

There are several ways that a PHP script may receive data from the outside world. By far the most common way is through data passed by web forms using either the GET or POST methods (the GET method can also be used by simply adding a query string onto the end of the script's URL). But there are other ways too, including retrieving session and cookie data, and reading input from command line parameters and standard input streams. You can see just about every way to retrieve input in a PHP script from the examples below. Hopefully by looking at them you will think of some new ways to use PHP that you might not have considered before. I frequently use these examples to refresh my memory when I need to use one of the less common input methods.

POST

// POST data (e.g. from a form)
// <input type="text" name="MyVariableName" value="foobar">
echo $_POST['MyVariableName']; 

GET

// GET data (e.g. from a form or directly entered in a URL);
// http://www.mysite.com/myscript.php?MyVariableName=foobar
echo $_GET['MyVariableName']; 

Cookies

// Cookie data (e.g. set with setcookie('MyVariableName', 'foobar'); )
echo $_COOKIE['MyVariableName']; 

Request Headers: POST, GET, & Cookies

// POST, GET, or cookie data
echo $_REQUEST['MyVariableName'];

// NOTE: To determine how the page was called look in $_SERVER['REQUEST_METHOD']
// If it is important where the variable came from, individually check
// $_POST, $_GET, and $_COOKIE 

Session

//session data, possibly passed from variables set in another referring script
session_start();
echo $_SESSION['MyVariableName']; 

Command Line Arguments

// Command line parameters, e.g. at an SSH prompt
// %prompt> php myscript.php InputParam1 InputParam2 InputParam3
// or from a script: exec('php myscript.php InputParam1 InputParam2 InputParam3');

$num_args =  $_SERVER['argc'];       //in this case, equal to 3
for ($kk=0$kk<$num_args$kk++){
 echo $_SERVER['argv'][$kk];
}

//or with a foreach()
foreach ($_SERVER['argv'] as $var){
  echo $var;

You may also be interested in using PEAR's Console_Getopt package.

Standard Input

// Standard input, e.g. pipes at the command line
// %prompt> echo "foobar" | myscript.php
// or called from another application like procmail
$stdin fopen('php://stdin''r');
$input '';
while (false !== ($line fgets($stdin))){
 $input .= $line;
}
echo $input

* You can also use the standard input to read from the keyboard if you've written a shell program in PHP that requires input from the user during program execution.

fopen(), file(), file_get_contents()

Provided allow_url_fopen is set to "1" in your php.ini, you can use file-reading commands to get "input" from remote files (and you can always use them to get input from local ones). You can think of this as a possible alternative or supplement to using client-side AJAX.

$input file_get_contents('http://www.somesite.com/dynamic_content.txt');
echo $input

See Chapter 39 of the PHP Manual for more details.

Sockets, and beyond

Using PHP's socket functions, you can also gather input from outside sources, using any number of protocols (you could even write your own server/client protocol). You might also be interested in using SOAP to gather dynamic content for your scripts. PHP 5 has a built-in extension (you can find a good tutorial on Zend), and NuSOAP or the PEAR SOAP package also work nicely.


I hope you found this tutorial helpful. Feel free to send questions, comments, or flames (but please, no spam) to info [_at_] nicholassolutions (dot) com (you may also use the contact form on our website, nicholassolutions.com). If this is your first time visiting ERT, why not stay and look around for a while? This article is just a small part of the content we have to offer.

post to Dzone Digg this! Add to del.icio.us Googleize this Add to reddit Save to myYahoo Add to furl Add to Netvouz! Spurl this! Add to Linkroll! Save to Simpy Give if thumbs up on StumbleUpon Save to Blinklist Add to Tektag Save to Bibsonomy Submit to Tweako
Search ERT on the Tools Page

Creative Commons License This tutorial contains copyright-protected content, which may be distributed under the Creative Commons Attribution NonCommercial NoDerivs 2.5 License

Valid HTML 4.01 Strict I've taken the time to write an interoperable page that validates as HTML 4.01 Strict. I encourage you to do the same ;-)