What is the best way to handle processing in PHP from either logins or form posts

I am pretty new to PHP and have yet to find really practical book which describes how to best process things in PHP in a real world situation, with security in mind. Even searching google, most articles are just about the basics, and are not real world examples. I just don't see anything good out there on PHP structure and f开发者_StackOverflowlow for a website as a whole.

What I have adopted is for example, if a user fills out a login form in ABC.php, the data is posted to XYZ.php?do=processLogin . In XYZ, I have an "IF ISSET" for the "do" variable and if it's set then it enters a switch statement which handles logins, or logoffs, etc, and then redirects them back to the appropriate page. If the "do" variable is not set, they get dumped back to the login page.

I've seen many examples where data is posted to the same script, however just about anytime I am doing any sort of form processing or an action such as a login of logoff or account editing, I am posting to completely seperate PHP file to take care of that work, and then redirecting the user back.

Is this way sub-optimal, abnormal, stupid?? Can someone give me some advice on this, or link some good examples related to this topic? I was thinking lately of finding some open source app written in PHP so that I can view how an experienced PHP coder structures their site, so if anyone has an example of one of those to look at, that would be appreciated too.

Thanks in advance!

---

The first rule you need to be observant of is to NEVER, EVER trust user input, especially in your get/post/request super variables.

It all depends on the scope of what you're trying to do, but generally you'll want to take only the variables you want from your $_POST into your own variable, such as $data (ie, $data['do'] = $_POST['do']), that way you don't get extra variables snuck in over the border.

The other thing you need to do is ensure your user input is correctly sanitized for it's application. If you're taking input for a blog-- You want to remove things that will parse as HTML. If you're doing a login, you want to disallow the user from typing in an SQL injection attack that allows them to log in as anyone.

Now, using a central file to delegate all your other tasks is actually a good practice. You can see it all over. Spend some time thinking about the best way to call all your functions -- I personally wrap variable checking and request delegation into one page. It reduces the number of entry-points into your system, making security easier to lock down (because you don't have to look after several files).

Using it to delegate what kind of page you're requesting isn't really going to change the setup.

Forums on the internet use this pattern often to make sure you don't keep double posting. This doesn't deal with people who hammer on "submit" however.

There are better methods to deal with duplicate submissions. First, you should disable your submit button on that page once it's clicked using javascript, and just toss in something that lets the user know it's loading. Then you may either use this method where you send the redirection to a "okay it worked" page (or a failure page). The next step could be using cookies or generate a form ID data to keep track of what submission is being sent. For example, when a user opens a new page, post ID 123 is open, if they submit it again and again it fails because post 123 was already sent.

What I would suggest more than my advice is looking into this. http://wiki.apache.org/struts/DataEntryForm

---

What you're doing is a pretty good way to deal with form submissions and is called Post-Redirect-Get.

https://stackoverflow.com/questions/tagged/post-redirect-get