Do's and don't with PHP in a page

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
Ono's picture

Hey all, firstly let's start off with the good old: "I'm new to drupal" trying to struggle my way into better understanding.

At the moment I'm doing a bit of custom development, on one side in drupal and on the other side in plain old PHP. Now I found the versioning system in drupal a handy tool so wondered if I could place my regular PHP in a drupal page. A lot of the things I'm doing does work but there's one page with a HTML form using POST that writes to the database which doesn't work.

So in short my question is: what's considered best practice for writing PHP in pages and where should I draw the line, and/or, is this line movable? ;)

Comments

Drupal forms vs custom forms

flapsjack's picture

It sounds like you are writing your own forms by injecting PHP/HTML and then examining POST to process/submit the form. If that is the case, you are doing the form work incorrectly. Drupal makes it very easy to do form creation/validation/submitting by using its built-in FormAPI (sometimes written as FAPI).

With you being new to Drupal, this will probably seem a little strange especially if you are familiar with building your own forms in PHP/HTML. However, the FormAPI system can actually be much faster for building forms and it is more secure. For instance, if you want to place a select list within your custom PHP/HTML form, it is YOUR responsibility to ensure that some clever user didn't change the select list value to something not originally in the list. Drupal's FormAPI on the other hand, will automatically detect this bad behavior and not allow the form to be submitted with an illegal value. This is just one example of how FormAPI can help you write more secure forms.

So, assuming you are considering using Drupal's builit-in FormAPI system, you need to know how to do it. Listed below is a simple example form:

<?php
//
// Build and return a simple FormAPI form
//
function onos_form() {
 
$form['ono_form_name'] = array(
   
'#type' => 'textfield',
   
'#title' => t("What is your name?"),
   
'#required' => TRUE,
   
'#size' => 35,
   
'#maxlength' => 128,
  );

 
$form['ono_form_color'] = array(
   
'#type' => 'textfield',
   
'#title' => t("What is your favorite color?"),
   
'#required' => TRUE,
   
'#options' => array(
     
'blue' => 'Pretty Blue',
     
'red' => 'Nice Red',
     
'green' => 'Awesome Green',
    ),
  );

 
$form['submit'] = array(
   
'#type' => 'submit',
   
'#value' => 'Submit this form',
  );

  return
$form;
}

//
// Do any form validation for onos_form.
// This function is automatically called by Drupals FormAPI system upon
// the submission of the form simply by naming the function the same as
// the function that creates the form (onos_form) and appending _validate.
//
// $form (array) = the original form that we build and returned in onos_form
//                        plus some extra items that Drupal attached upon the form
//                        being drawn
// $form_state (array) = details about the submitted forms including sanitized
//                                user-submitted values and unsanitized POST (bad)
//                                Specifically, we can see all the submitted values by
//                                examining $form_state['values']
//
function onos_form_validate($form, $form_state) {
 
// For some reason, we want to make sure the person's name is over 2 characters long
 
if (strlen($form_state['values']['onos_form_name']) <= 2) {
   
// Alert the user that they made a booboo
  
form_error($form['onos_form_name'], "Your name needs to be at least 2 characters long");
  }
}

//
// Submit onos_form.
// This function is automatically called by Drupal's FormAPI system upon
// the submission of the form assuming the form passed validation.
// Like the validate function above, this function is called simply by naming
// the function the same as the function that creates the form (onos_form)
// and appending _submit.
//
// $form (array) = the original form that we build and returned in onos_form
//                        plus some extra items that Drupal attached upon the form
//                        being drawn
// $form_state (array) = details about the submitted forms including sanitized
//                                user-submitted values and unsanitized POST (bad)
//                                Specifically, we can see all the submitted values by
//                                examining $form_state['values']
//
function onos_form_submit($form, $form_state) {
 
// Do whatever is required upon successful form submission
 
}
?>

This is a pretty simple example that highlights a few nice features of the FormAPI system. The other piece of the puzzle is how to get your form to be displayed on the page.

Assuming you have the above functions in a custom module, you simply need to call the function: drupal_get_form("onos_form");

This function will return the form built and rendered as HTML ready to be printed on the page and submitted. So, on your pages that have your current custom PHP/HTML form, add a statement to print the results of drupal_get_form("onos_form"). Or if you want the form on its own page, create a menu callback using hook_menu.

Some good Drupal links:

Another page on using the FormAPI http://drupal.org/node/751826
The FormAPI reference listing field types and allowed properties http://api.drupal.org/api/drupal/developer--topics--forms_api_reference....

Hopefully the above will help you on the right track to doing forms the Drupal way

Thx

Ono's picture

Ok, after reading your helpful info I decided to look a little further and noticed that the forms API is actually incredibly extensive.

In any case I'm trying to work my way through Drupal development and become a pro ... this is definitely a step in the right direction.

Big thx :)