Forms, Sessions, and Cookies
The web is a stateless medium, yet modern applications require interactive, personalized experiences. PHP provides mechanisms to receive user input via forms, track users across requests with sessions, and remember preferences through cookies.
HTML Forms
A form submits data to a URL using the HTTP GET or POST method. GET places data in the URL query string; POST places it in the request body. GET is idempotent and bookmarkable but limited in size; POST handles large submissions and sensitive data without exposing it in URLs. Input fields use name attributes that PHP uses as keys.
Receiving Form Data
PHP exposes submitted data in the superglobals $_GET, $_POST, and $_REQUEST. $_FILES holds uploaded files, and $_SERVER exposes headers and request metadata. Always treat incoming data as untrusted.
Validation and Sanitization
Valid data satisfies business rules (required, numeric, in range). Sanitization removes or encodes dangerous characters. Functions like filter_var with FILTER_VALIDATE_EMAIL, FILTER_SANITIZE_STRING, and htmlspecialchars prevent XSS. Never trust client-side validation alone; always validate server-side.
File Uploads
File inputs require enctype="multipart/form-data". PHP places uploads in a temporary directory and exposes them in $_FILES. Validate size, MIME type, and extension, and move with move_uploaded_file(). Storing uploads outside the web root prevents direct access.
Cookies
A cookie is a small piece of data that the server asks the browser to store and send back on subsequent requests. setcookie(name, value, options) creates or updates cookies; $_COOKIE reads them. Cookies have attributes: expiry, path, domain, Secure, HttpOnly, and SameSite for security and scope.
Sessions
A session holds per-user data on the server, keyed by a session ID stored in a cookie. session_start() initializes access to $_SESSION. Sessions support authentication, shopping carts, and multi-step wizards. Expire idle sessions and regenerate IDs after login to prevent fixation attacks.
Authentication
Login forms collect credentials, which PHP verifies against a hashed password in the database using password_verify(). Successful login sets session state. Use password_hash() to store passwords with bcrypt or Argon2; never store plaintext passwords.
Cross-Site Request Forgery
CSRF tricks authenticated users into submitting unwanted requests. Defences include per-session CSRF tokens hidden in forms and checked on submission, and the SameSite cookie attribute.
Flash Messages
Storing temporary user feedback (like "Profile saved") in the session survives a redirect and is shown once. After display, remove the message to prevent reappearance. Flash messaging simplifies POST–redirect–GET patterns.
Summary
Forms carry user input; sessions and cookies maintain state. Secure handling — validation, sanitization, CSRF tokens, and proper cookie attributes — is non-negotiable. These ingredients combine in every login, checkout, and settings page you build.