Hidden fields

Introduction

Don't want untidy URLs on your forms? Read on...

When processing web forms using PHP (or any other server side script) you can send the data back to the server using either a 'GET' or a 'POST' method. With the GET method you'll have all the variables displayed on the end of the URL that the form posts to and it will be seen in the user's web browser. You'll get something like...

www.yourdomain.com/feedback.php?name=johnsmith

This is great if you want to let your users bookmark a product, person or a page on your site, but if that's not going to happen it can just look untidy.

The 'POST' method sends the information as a block of data, separate from the URL and so it doesn't appear on the end of it.

Problems with POST

There can be problems with using POST though. Firstly, you can't bookmark with it. All the URLs to your script will look the same.

Secondly, what if you want a single form to process the feedback on your site? That's to say, a single PHP file gathers the data and then posts to itself to validate the information & send it on (perhaps via email). It gets difficult to know which 'state' the page is in.

This happens because, unlike the 'GET' method, we can't simply add a variable to the end of the URL, ie '?name=johnsmith' or '?feedback=true'. The data is in a data block and not on the URL with 'POST'.

We are left with the issue, when the script gets called, of knowing if we are opening the page to enter data or to validate it? Both URLs are the same with 'POST'.

You could check the variables you are posting back, say the email address and persons name. Check to see if any are empty. If so, you are in the 'data entry' mode right?

Well, this isn't a great way to do it. How do you know they didn't just leave that field empty? If they had, wouldn't you want to display an message asking them to enter their name?

You could check all the fields, but it's long winded and prone to maintenance issues - what happens if you add a new field and forget to add the check?

We could just give up and combine POST and GET, adding a variable to the URL when we post it back. Have a URL with something like...

www.yourdomain.com/feedback.php?postback=true

It's certainly easy, we just change the URL we post-back to so it's got '?postback=true' on the end. Job done.

The thing is, this looks a mess again. Surely there is some way to set 'postback' to 'true' in the POST data and keep a clean URL.

Yep, there is - you use a hidden field.

Hidden fields

The value of the hidden field will be added to the POST data when you submit the page. If you set it to a non-blank value you can test this field to see if the form is being posted back or not.

This works because when the page is first visited (without POST data from a post-back) the value of your hidden field (and all other fields) will be empty. When the post-back occurs, it will be set to your test value.

It's not like the data entry fields, such as the 'name', because it couldn't ever be blank because the user forgot to fill it in. Why? Well because it's filled automatically by the form system and not by the user.

Why a hidden field and not just any other field? Well, you don't really want a field on the form saying 'postback' - it would look ugly and we're trying to make everything look tidy. Also, the user might decide to clear the field for us.

Code

So, example code showing this technique is as follows...

<form id="feedback_form" action="feedback.php" method="post" name="feedback_form">

    
    <input type="hidden" name="postback" value="true">

    
    <p>Enter your name...</p>

    
    <input type="text" name="name" value=""
        size="40" maxlength="200" tabindex="1">

</form>

This produces a form that looks something like this...

You can now check too see if you are in post-back and, say, only display messages such as "you forgot to leave you name", if you are. Nobody will want to see that message on their first visit to the page before they've had a chance to enter their name.

The code to check the value is a simple piece of PHP...

<?PHP

    // Get the form variables.
    $name = $_POST['name'];
    $postback = $_POST['postback'];

    // Test if this is a postback or not.
    if ($postback == true)
    {
        // Put your validation code here.
    }
?>

Security

Just because you send using POST and the values are not visible on the URL does not mean the information is secure. There are ways of seeing what's sent to a URL with POST and that data is in plain text, it's not encrypted.

So using POST is not a way to provide secure access to areas of your site that you want to protect.