Web Programming Step by Step, 2nd Edition

Lecture 9: Uploading Data

Reading: 6.3.3–6.5; 15.3, 15.3.2

Except where otherwise noted, the contents of this document are Copyright 2012 Marty Stepp, Jessica Miller, and Victoria Kirst. All rights reserved. Any redistribution, reproduction, transmission, or storage of part or all of the contents in any form is prohibited without the author's expressed written permission.

Submitting data to a web server

• though browsers mostly retrieve data, sometimes you want to submit data to a server
  • Hotmail: Send a message
  • Flickr: Upload a photo
  • Google Calendar: Create an appointment
• the data is sent in HTTP requests to the server
  • with HTML forms
  • with Ajax (seen later)
• the data is placed into the request as parameters

Hypertext Transport Protocol (HTTP)

• the set of commands understood by a web server and sent from a browser
• some HTTP commands (your browser sends these internally):
  • GET    filename : retrieve a file or a program’s output
    • any parameters are sent in the URL as a query string
    • focused on receiving rather than submitting (although it may still supply data)
  • POST   filename : send form data to a program
    • any parameters are embedded in the HTTP request, not the URL
    • focused on submitting rather than receiving (although it will still receive a response)
  • PUT    filename : create or overwrite a file
  • DELETE filename : delete a file

Simulating GET and POST requests

• simulated GET request using the terminal:

  $ telnet www.google.com 80
  Trying 128.208.3.88...
  Connected to 128.208.3.88 (128.208.3.88).
  Escape character is '^]'.
  GET /search?q=Black+Raven
  
  <!DOCTYPE html>   # (the server's response comes after two carriage returns)
  <html>
  ...
  

• simulated POST request:

  $ telnet www.gmail.com 80
  Trying 128.208.3.88...
  Connected to 128.208.3.88 (128.208.3.88).
  Escape character is '^]'.
  POST /login.php
  Content-type: application/x-www-form-urlencoded
  Content-length: 33
  
  username=jessica&password=guinness
  
  <!DOCTYPE html>   # (the server's response comes after two carriage returns)
  <html>
  ...
  

When do I use POST vs. GET?

• GET requests embed parameters in their URLs
  • amount of data limited by browser’s maximum URL size (~ 1024 characters)
  • parameters are visible in address bar
  • private data in a URL can be seen or modified by users
• POST requests embed parameters in the HTTP request body
  • submitted data NOT limited in size
  • parameters DO NOT show up in address bar (although tools like Firebug can still be used to view them)
• general guidelines:
  • use POST for private data or very large data
  • otherwise, decide whether the focus is on submitting or receiving data

Form POST example

<form action="http://foo.com/app.php" method="post">
	<div>
		Name: <input type="text" name="name" /> <br />
		Food: <input type="text" name="meal" /> <br />
		<label>Meat? <input type="checkbox" name="meat" /></label> <br />
		<input type="submit" />
	<div>
</form>

GET or POST?

if ($_SERVER["REQUEST_METHOD"] == "GET") {
	// process a GET request (parameters are in $_GET)
	...
} elseif ($_SERVER["REQUEST_METHOD"] == "POST") {
	// process a POST request (parameters are in $_POST)
	...
}

• some PHP pages can process either a GET or a POST request
• to find out which kind of request we are currently processing,
  look at the global $_SERVER array's "REQUEST_METHOD" element

A form that submits to itself

<form action="" method="post">
	...
</form>

• a form can submit its data back to itself by setting the action to be blank (or to the page's own URL)
• benefits
  • fewer pages/files (don't need a separate file for the code to process the form data)
  • can more easily re-display the form if there are any errors

Processing a self-submitted form

if ($_SERVER["REQUEST_METHOD"] == "GET") {
	// normal GET request; display self-submitting form
	?>
	<form action="" method="post">...</form>
	<?php
} elseif ($_SERVER["REQUEST_METHOD"] == "POST") {
	// POST request; user is submitting form back to here; process it
	$var1 = $_POST["param1"];
	...
}

• a page with a self-submitting form can process both GET and POST requests
• look at the global $_SERVER array to see which request you're handling
• handle a GET by showing the form; handle a POST by processing the submitted form data

Uploading files

<form action="http://webster.cs.washington.edu/params.php"
      method="post" enctype="multipart/form-data">
	Upload an image as your avatar:
	<input type="file" name="avatar" />
	<input type="submit" />
</form>

• add a file upload to your form as an input tag with type of file
• must also set the enctype attribute of the form

Processing an uploaded file in PHP

• uploaded files are placed into global array $_FILES, not $_POST
• each element of $_FILES is itself an associative array, containing:
  • name      : the local filename that the user uploaded
  • type      : the MIME type of data that was uploaded, such as image/jpeg
  • size      : file's size in bytes
  • tmp_name  : a filename where PHP has temporarily saved the uploaded file
    • to permanently store the file, move it from this location into some other file

Uploading details

<input type="file" name="avatar" />

• example: if you upload borat.jpg as a parameter named avatar,
  • $_FILES["avatar"]["name"] will be "borat.jpg"
  • $_FILES["avatar"]["type"] will be "image/jpeg"
  • $_FILES["avatar"]["tmp_name"] will be something like "/var/tmp/phpZtR4TI"

Processing uploaded file, example

$username = $_POST["username"];
if (is_uploaded_file($_FILES["avatar"]["tmp_name"])) {
	move_uploaded_file($_FILES["avatar"]["tmp_name"], "$username/avatar.jpg");
	print "Saved uploaded file as $username/avatar.jpg\n";
} else {
	print "Error: required file not uploaded";
}

• functions for dealing with uploaded files:
  • is_uploaded_file(filename)
    returns true if the given filename was uploaded by the user
  • move_uploaded_file(from, to)
    moves from a temporary file location to a more permanent file
• proper idiom: check is_uploaded_file, then do move_uploaded_file

Creating an associative array

$name = array();
$name["key"] = value;
...
$name["key"] = value;

$name = array(key => value, ..., key => value);

$blackbook = array("marty"  => "206-685-2181",
                   "stuart" => "206-685-9138",
                   "jenny"  => "206-867-5309");

• can be declared either initially empty, or with a set of predeclared key/value pairs

Printing an associative array

print_r($blackbook);

Array
(
    [jenny] => 206-867-5309
    [stuart] => 206-685-9138
    [marty] => 206-685-2181
)

• print_r function displays all keys/values in the array
• var_dump function is much like print_r but prints more info
• unlike print, these functions require parentheses

Associative array functions

if (isset($blackbook["marty"])) {
	print "Marty's phone number is {$blackbook['marty']}\n";
} else {
	print "No phone number found for Marty Stepp.\n";
}

foreach loop and associative arrays

foreach ($blackbook as $key => $value) {
	print "$key's phone number is $value\n";
}

jenny's phone number is 206-867-5309
stuart's phone number is 206-685-9138
marty's phone number is 206-685-2181

• both the key and the value are given a variable name
• the elements will be processed in the order they were added to the array

What is form validation?

• validation: ensuring that form's values are correct
• some types of validation:
  • preventing blank values (email address)
  • ensuring the type of values
    • integer, real number, currency, phone number, Social Security number, postal address, email address, date, credit card number, ...
  • ensuring the format and range of values (ZIP code must be a 5-digit integer)
  • ensuring that values fit together (user types email twice, and the two must match)

A real form that uses validation

Client vs. server-side validation

Validation can be performed:

• client-side (before the form is submitted)
  • can lead to a better user experience, but not secure (why not?)
• server-side (in PHP code, after the form is submitted)
  • needed for truly secure validation, but slower
• both
  • best mix of convenience and security, but requires most effort to program

An example form to be validated

<form action="http://foo.com/foo.php" method="get">
	<div>
		City:  <input name="city" /> <br />
		State: <input name="state" size="2" maxlength="2" /> <br />
		ZIP:   <input name="zip" size="5" maxlength="5" /> <br />
		<input type="submit" />
	</div>
</form>

• Let's validate this form's data on the server...

Basic server-side validation code

$city  = $_POST["city"];
$state = $_POST["state"];
$zip   = $_POST["zip"];
if (!$city || strlen($state) != 2 || strlen($zip) != 5) {
	print "Error, invalid city/state/zip submitted.";
}

• basic idea: Examine parameter values, and if they are bad, show an error message and abort.
• What should we do if the data submitted is missing or invalid?
  • simply printing an error message is not a very graceful result

The die function

die("error message text");

• PHP's die function prints a message and then completely stops code execution
• it is sometimes useful to have your page "die" on invalid input
• problem: poor user experience (a partial, invalid page is sent back)

The header function

header("HTTP header text");   // in general
header("Location: url");      // for browser redirection

• PHP's header function can be used for several common HTTP messages
  • sending back HTTP error codes (404 not found, 403 forbidden, etc.)
  • redirecting from one page to another
  • indicating content types, languages, caching policies, server info, ...
• you can use a Location header to tell the browser to redirect itself to another page
  • useful to redirect if the user makes a validation error
  • must appear before any other HTML output generated by the script

Using header to redirect between pages

header("Location: url");

$city  = $_POST["city"];
$state = $_POST["state"];
$zip   = $_POST["zip"];
if (!$city || strlen($state) != 2 || strlen($zip) != 5) {
	header("Location: start-page.php");   // invalid input; redirect
}

• one problem: User is redirected back to original form without any clear error message or understanding of why the redirect occurred. (We can improve this later.)

Another problem: Users submitting HTML content

• A user might submit information to a form that contains HTML syntax
• If we're not careful, this HTML will be inserted into our pages (why is this bad?)

The htmlspecialchars function

• text from files / user input / query params might contain <, >, &, etc.
• we could manually write code to strip out these characters
• better idea: allow them, but escape them

$text = "<p>hi 2 u & me</p>";
$text = htmlspecialchars($text);   // "&lt;p&gt;hi 2 u &amp; me&lt;/p&gt;"