PHP 表单处理
PHP 是处理 HTML 表单的利器,通过 $_GET、$_POST 超全局变量接收用户提交的数据。
基本表单
<!-- form.html -->
<form action="process.php" method="POST">
<input type="text" name="username" placeholder="用户名">
<input type="password" name="password" placeholder="密码">
<input type="email" name="email" placeholder="邮箱">
<button type="submit">提交</button>
</form>
``
`php
<?php
// process.php
$username = $_POST['username'] ?? '';
$password = $_POST['password'] ?? '';
$email = $_POST['email'] ?? '';
echo "用户名:$username";
?>
`
GET vs POST
特性 GET POST 数据位置 URL 参数 请求体 数据大小 受 URL 长度限制 无限制 安全性 低(可见) 较高 适用场景 搜索、筛选 登录、提交数据 可收藏 是 否
数据验证与过滤
永远不要信任用户输入,必须验证和过滤:
`php
<?php
// 过滤输入
$username = trim($_POST['username'] ?? '');
$age = (int)($_POST['age'] ?? 0);
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
$errors = [];
// 验证
if (empty($username)) {
$errors[] = "用户名不能为空";
} elseif (strlen($username) < 3 || strlen($username) > 20) {
$errors[] = "用户名长度须在 3-20 个字符之间";
}
if ($age < 1 || $age > 120) {
$errors[] = "年龄不合法";
}
if (!$email) {
$errors[] = "邮箱格式不正确";
}
if (empty($errors)) {
echo "验证通过!";
} else {
foreach ($errors as $err) {
echo "<p style='color:red'>$err</p>";
}
}
?>
`
防止 XSS 攻击
输出到页面的数据必须转义:
`php
<?php
// 危险:直接输出用户输入
echo $_POST['comment']; // 可能包含 <script> 恶意代码
// 安全:转义 HTML 特殊字符
echo htmlspecialchars($_POST['comment'] ?? '', ENT_QUOTES, 'UTF-8');
?>
`
文件上传
`html
<form action="upload.php" method="POST" enctype="multipart/form-data">
<input type="file" name="avatar" accept="image/*">
<button type="submit">上传</button>
</form>
`
`php
<?php
// upload.php
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['avatar'])) {
$file = $_FILES['avatar'];
$maxSize = 2 1024 1024; // 2MB
$allowed = ['image/jpeg', 'image/png', 'image/gif'];
if ($file['error'] !== UPLOAD_ERR_OK) {
die("上传失败");
}
if ($file['size'] > $maxSize) {
die("文件过大,最大 2MB");
}
if (!in_array($file['type'], $allowed)) {
die("只允许上传 JPG/PNG/GIF");
}
// 生成安全的文件名
$ext = pathinfo($file['name'], PATHINFO_EXTENSION);
$filename = uniqid() . '.' . $ext;
$dest = __DIR__ . '/uploads/' . $filename;
if (move_uploaded_file($file['tmp_name'], $dest)) {
echo "上传成功:$filename";
}
}
?>
`
完整登录表单示例
``php
<?php
$error = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$username = trim($_POST['username'] ?? '');
$password = $_POST['password'] ?? '';
// 模拟验证(实际应查数据库)
if ($username === 'admin' && $password === '123456') {
session_start();
$_SESSION['user'] = $username;
header('Location: dashboard.php');
exit;
} else {
$error = "用户名或密码错误";
}
}
?>
<!DOCTYPE html>
<html lang="zh-CN">
<body>
<?php if ($error): ?>
<p style="color:red"><?= htmlspecialchars($error) ?></p>
<?php endif; ?>
<form method="POST">
<input type="text" name="username" required>
<input type="password" name="password" required>
<button type="submit">登录</button>
</form>
</body>
</html>