Using Built-In Associative Arrays

Using Built-In Associative Arrays

Associative arrays are extremely handy because they reflect a kind of information storage that is very frequently used. In fact, you've been using associative arrays in disguise ever since Chapter 2 of this book. Whenever your PHP program receives data from a form, that data is actually stored in a number of associative arrays for you. A variable was automatically created for you by PHP for each form element. However, you can't always rely on that particular bit of magic. Increasingly, server administrators have been turning this "automatic variable creation" off for security reasons. In fact, the default setup for PHP is now to have this behavior (with the odd name render_globals) turned off. It's handy to know how PHP gets data from the form as a good example of associative arrays. It's also useful because you may find yourself needing to know how to get form data without the variables being created explicitly for you.

Introducing the formReader.php Program

The formReader.php program is actually one of the first PHP programs I ever wrote, and it's one I use frequently. It's very handy, because it can take the input from any HTML form and report back the names and values of each of the form elements on the page. To illustrate, Figure 5.6 shows a typical Web page with a form.

Click To expand
Figure 5.6: This form has three basic fields. It will call the formReader.php program.

When the user clicks the Submit Query button, formReader responds with some basic diagnostics, as you can see from Figure 5.7.

Click To expand
Figure 5.7: The formReader program determines each field and its value.

Reading the $_REQUEST Array

The formReader program does its work by taking advantage of an associative array built into PHP. Until now, you've simply relied on PHP to create a variable for you based on the input elements of whatever form calls your program. This automatic variable creation is called register_globals. While this is an extremely convenient feature, it can be dangerous, so some administrators turn it off. Even when register_globals is active, it can be useful to know other ways of accessing the information that comes from the form.

All the fields sent to your program are automatically stored in a special associative array called $_REQUEST. Each field name on the original form becomes a key, and the value of that field becomes the value associated with that key. If you have a form with a field called userName, you can get the value of the field by calling $_REQUEST["userName"].

The $_REQUEST array is also useful because you can use a foreach loop to quickly determine the names and values of all form elements known to the program. The source code of the formReader.php program illustrates how this is done.

<!doctype html public "-//W3C//DTD HTML 4.0 //EN">
       <title>Form Reader</title>
<h1>Form Reader</h1>
<h3>Here are the fields I found on the form</h3>
print <<<HERE
<table border = 1>

foreach ($_REQUEST as $field => $value){
  print <<<HERE
} // end foreach
print "</table>\n";



Note how I stepped through the $_REQUEST array. Each time through the foreach loop, the current field name is stored in the $field variable, and the value of that field is stored in $value.


I use this script when I'm debugging my programs. If I'm not getting the form elements I expected from a form, I'll put a loop like this in at the top of my program to make sure I know exactly what's being sent to the program. Often this type of procedure can help you find misspellings or other bugs.

Start example

PHP provides some other variables related to $_REQUEST. The $HTTP_POST_VARS array holds all the names and values sent through a POST request, and $HTTP_GET_VARS array holds names and values sent through a GET request. You can use this feature to make your code more secure. If you create variables only from the $HTTP_POST_VARS array, for example, all input sent via the GET method will be ignored. This will make it harder for users to forge data by putting field names in the browser's address bar. Of course, a clever user can still write a form that contains bogus fields, so you always have to be a little suspicious whenever you get any data from the user.

End example