Open table of contents

Input and Output

Input and output form the foundation of interactive web applications. Without the ability to receive user data and display responses, your PHP scripts would be static documents. Understanding how PHP handles I/O operations is crucial because web applications are fundamentally about processing user requests and generating appropriate responses.

Let's be honest about PHP's I/O model upfront. Unlike desktop programming languages where you can pause execution and wait for user input, PHP follows a request-response model. Your script receives all input at the beginning, processes it, generates output, and terminates. There's no interactive conversation happening. Think of it like receiving a letter, writing a response, and sending it back.

This might feel limiting if you're coming from languages like Python or Java where you can prompt users and wait for responses. But this model is actually perfect for web development, where users interact through forms, clicks, and page requests rather than command-line prompts.

Understanding PHP Output

Output in PHP means sending data to the browser, command line, or wherever your script is running. PHP provides several ways to generate output, each with specific use cases and performance characteristics.

The most fundamental concept is that PHP output becomes the content users see in their browsers. When you echo HTML, CSS, or JavaScript, the browser receives it as if it came from a static file. PHP acts as a dynamic content generator that creates what users ultimately experience.

Echo: The Workhorse of PHP Output

The echo statement is PHP's primary output mechanism. It's fast, flexible, and handles multiple arguments efficiently. Most PHP output you'll write uses echo because it's optimized for web development patterns.

<?php
// Basic echo usage
echo "Hello, World!";
echo "<br>";
echo "This is on a new line.";

// Multiple arguments (faster than concatenation)
echo "<h2>", "User Information", "</h2>";

// Variable interpolation in double quotes
$username = "Alice";
$loginTime = date('H:i:s');
echo "Welcome back, $username! You logged in at $loginTime.";
?>

Echo doesn't return a value. Instead, it directly sends output to the browser. This makes it slightly faster than alternatives and explains why you can't use echo in expressions or assign its result to variables.

Print: The Alternative Output Method

The print statement serves similar purposes to echo but with important differences. Print returns a value (always 1) and only accepts a single argument. These limitations make print less common in modern PHP development.

<?php
// Print usage
print "This uses print instead of echo";
print "<br>";

// Print returns 1, so this works (though rarely useful)
$result = print "Print returns a value";
echo "<br>Print returned: $result";
?>

Choose echo for most situations. Use print only when you specifically need its return value, which is rare in typical web development.

Outputting HTML Properly

Since PHP generates HTML that browsers will display, you need to understand how to create proper HTML output. PHP doesn't automatically format your output - it sends exactly what you tell it to send.

<?php
$pageTitle = "My Website";
$userName = "Sarah";
$userAge = 25;

// Creating HTML output with PHP
echo "<html>";
echo "<head>";
echo "<title>$pageTitle</title>";
echo "</head>";
echo "<body>";
echo "<h1>Welcome to $pageTitle</h1>";
echo "<p>Hello, $userName! You are $userAge years old.</p>";
echo "</body>";
echo "</html>";
?>

Processing User Input

Web applications receive user input through various channels: form submissions, URL parameters, cookies, and session data. PHP provides superglobal arrays that contain this input data, making it accessible throughout your application.

Understanding these input sources is fundamental because they determine how users interact with your applications. Each input method serves different purposes and has distinct security considerations.

GET Requests and URL Parameters

GET requests send data through URL parameters, making the information visible in the browser's address bar. This method works well for search queries, page numbers, and other data that users might want to bookmark or share.

<?php
// Simulate GET data (normally comes from URL like ?name=John&age=25)
$_GET = [
    'name' => 'John',
    'age' => '25',
    'category' => 'electronics'
];

// Process GET data with safety checks
$name = $_GET['name'] ?? 'Guest';
$age = $_GET['age'] ?? 0;
$category = $_GET['category'] ?? 'all';

echo "<h3>Search Results</h3>";
echo "Searching for: $category items<br>";
echo "User: $name (age: $age)<br>";

// Validate and process the data
$ageInt = (int) $age;
if ($ageInt >= 18) {
    echo "Adult content available<br>";
} else {
    echo "Family-friendly results only<br>";
}
?>

Always validate GET data before using it. Users can modify URL parameters easily, so never trust this input for sensitive operations or assume it contains valid data.

POST Requests and Form Data

POST requests send data in the request body, keeping it hidden from the URL. This method is essential for sensitive information, large data sets, and operations that modify server state like creating accounts or processing payments.

<?php
// Simulate POST data from a contact form
$_POST = [
    'full_name' => 'Sarah Johnson',
    'email' => '[email protected]',
    'message' => 'I am interested in your services.'
];

// Process form submission
$fullName = $_POST['full_name'] ?? '';
$email = $_POST['email'] ?? '';
$message = $_POST['message'] ?? '';

echo "<h3>Contact Form Submission</h3>";

// Basic validation
if (empty($fullName)) {
    echo "Error: Name is required<br>";
} else {
    echo "Name: $fullName<br>";
}

if (empty($email)) {
    echo "Error: Email is required<br>";
} else {
    echo "Email: $email<br>";
}

if (empty($message)) {
    echo "Error: Message is required<br>";
} else {
    echo "Message: $message<br>";
}
?>

The trim() function removes whitespace from user input, preventing issues with accidental spaces. Always sanitize input data before processing or storing it.

Building a Simple Form

HTML forms provide the interface for user input, while PHP processes the submitted data. Understanding how forms and PHP work together is essential for building interactive web applications.

<?php
// Check if form was submitted
$submitted = isset($_POST['submit_form']);

if ($submitted) {
    $name = $_POST['name'] ?? '';
    $email = $_POST['email'] ?? '';
    $age = $_POST['age'] ?? 0;

    echo "<h3>Form Results</h3>";
    echo "Name: $name<br>";
    echo "Email: $email<br>";
    echo "Age: $age<br>";
} else {
    echo "<h3>Please fill out the form below:</h3>";
}
?>

<form method="POST">
    <label for="name">Name:</label><br>
    <input type="text" name="name" id="name" required><br><br>

    <label for="email">Email:</label><br>
    <input type="email" name="email" id="email" required><br><br>

    <label for="age">Age:</label><br>
    <input type="number" name="age" id="age" min="1" max="120"><br><br>

    <button type="submit" name="submit_form">Submit</button>
</form>

This example demonstrates the complete request-response cycle: displaying a form, processing submitted data, and showing results.

Security Considerations for Input

User input is the primary attack vector for web applications. Every piece of data coming from users, URLs, or external sources should be treated as potentially malicious. Security isn't optional - it's a fundamental requirement for any web application.

The golden rule is simple: never trust user input. Even if your form looks innocent, attackers can send crafted requests that bypass your HTML validation and attempt to exploit your application.

Basic Input Validation

Always check that user input meets your expectations before using it in your application.

<?php
// Simulate potentially problematic input
$_POST = [
    'username' => '  admin123  ',
    'email' => 'not-an-email',
    'age' => 'twenty-five'
];

// Clean and validate username
$username = trim($_POST['username'] ?? '');
if (empty($username)) {
    echo "Error: Username is required<br>";
} elseif (strlen($username) < 3) {
    echo "Error: Username must be at least 3 characters<br>";
} else {
    echo "Valid username: $username<br>";
}

// Validate email
$email = $_POST['email'] ?? '';
if (empty($email)) {
    echo "Error: Email is required<br>";
} elseif (!strpos($email, '@')) {
    echo "Error: Email must contain @ symbol<br>";
} else {
    echo "Email looks valid: $email<br>";
}

// Validate age
$age = $_POST['age'] ?? '';
$ageNumber = (int) $age;
if ($ageNumber <= 0) {
    echo "Error: Age must be a positive number<br>";
} elseif ($ageNumber > 120) {
    echo "Error: Age seems unrealistic<br>";
} else {
    echo "Valid age: $ageNumber<br>";
}
?>

Preventing HTML Injection

When displaying user input back to the browser, you must escape HTML characters to prevent malicious code injection.

<?php
// Simulate user input with HTML
$userComment = 'This is <b>bold</b> and this is <script>alert("bad")</script>';

// Wrong way - dangerous!
echo "<h3>Dangerous Output:</h3>";
echo "User said: $userComment<br>";

// Right way - safe!
echo "<h3>Safe Output:</h3>";
echo "User said: " . htmlspecialchars($userComment) . "<br>";

// Show what htmlspecialchars does
echo "<h3>What htmlspecialchars() does:</h3>";
echo "Original: $userComment<br>";
echo "Escaped: " . htmlspecialchars($userComment) . "<br>";
?>

Always use htmlspecialchars() when outputting user data in HTML context. This function converts potentially dangerous characters to safe HTML entities.

Working with Different Input Types

Web forms support various input types, each requiring specific handling. Understanding these differences helps you build robust, user-friendly interfaces.

Handling Checkboxes

Checkboxes behave differently from text inputs. Unchecked checkboxes don't appear in submitted data at all.

<?php
// Simulate checkbox form submission
$_POST = [
    'newsletter' => 'on',  // Checkbox was checked
    'terms' => 'on'        // Another checkbox was checked
    // Note: unchecked boxes don't appear in $_POST at all
];

// Check if newsletter checkbox was checked
$newsletter = isset($_POST['newsletter']);
echo "Newsletter signup: " . ($newsletter ? "Yes" : "No") . "<br>";

// Check if terms checkbox was checked
$terms = isset($_POST['terms']);
echo "Agreed to terms: " . ($terms ? "Yes" : "No") . "<br>";

// Check a checkbox that wasn't submitted
$marketing = isset($_POST['marketing']);
echo "Marketing emails: " . ($marketing ? "Yes" : "No") . "<br>";
?>

Handling Select Dropdowns

Select dropdowns submit their selected value as a simple string.

<?php
// Simulate dropdown selection
$_POST = ['country' => 'canada'];

$country = $_POST['country'] ?? 'none';

echo "Selected country: ";
if ($country === 'usa') {
    echo "United States";
} elseif ($country === 'canada') {
    echo "Canada";
} elseif ($country === 'uk') {
    echo "United Kingdom";
} else {
    echo "No country selected";
}
?>

Best Practices for I/O Operations

Following established patterns makes your input/output code more secure, maintainable, and user-friendly. These practices have evolved from years of real-world web development experience.

Always Validate Input

Create simple validation for all user input. Check that required fields are present and that data makes sense for your application.

<?php
// Simulate form data
$_POST = [
    'name' => 'John Doe',
    'email' => '[email protected]',
    'age' => '25'
];

$errors = [];
$validData = [];

// Validate name
$name = trim($_POST['name'] ?? '');
if (empty($name)) {
    $errors[] = "Name is required";
} else {
    $validData['name'] = $name;
}

// Validate email
$email = trim($_POST['email'] ?? '');
if (empty($email)) {
    $errors[] = "Email is required";
} elseif (!strpos($email, '@')) {
    $errors[] = "Email must contain @ symbol";
} else {
    $validData['email'] = $email;
}

// Validate age
$age = (int) ($_POST['age'] ?? 0);
if ($age < 1 || $age > 120) {
    $errors[] = "Age must be between 1 and 120";
} else {
    $validData['age'] = $age;
}

// Display results
if (!empty($errors)) {
    echo "<h3>Errors found:</h3>";
    foreach ($errors as $error) {
        echo "• $error<br>";
    }
} else {
    echo "<h3>All data is valid!</h3>";
    foreach ($validData as $field => $value) {
        echo ucfirst($field) . ": $value<br>";
    }
}
?>

Provide User Feedback

Always let users know what happened after they submit a form. Clear feedback improves the user experience significantly.

<?php
// Simulate a contact form submission
$submitted = true; // In real code, check if form was submitted

if ($submitted) {
    echo "<div style='background: lightgreen; padding: 10px; border-radius: 5px;'>";
    echo "<strong>Success!</strong> Your message has been sent.";
    echo "</div>";
} else {
    echo "<div style='background: lightcoral; padding: 10px; border-radius: 5px;'>";
    echo "<strong>Error!</strong> Please fix the problems below.";
    echo "</div>";
}
?>

Keep Forms Simple

Start with simple forms and add complexity gradually. Users prefer straightforward interfaces over complicated ones.

<?php
// Example of a simple, effective contact form structure
?>
<h3>Contact Us</h3>
<form method="POST">
    <p>
        <label for="name">Your Name:</label><br>
        <input type="text" name="name" id="name" required>
    </p>

    <p>
        <label for="email">Your Email:</label><br>
        <input type="email" name="email" id="email" required>
    </p>

    <p>
        <label for="message">Your Message:</label><br>
        <textarea name="message" id="message" rows="4" cols="50" required></textarea>
    </p>

    <p>
        <button type="submit">Send Message</button>
    </p>
</form>

Common Pitfalls to Avoid

Understanding frequent mistakes helps you write better I/O code from the start.

Don't Trust User Input

Never assume user input is safe or correct. Always validate and sanitize everything that comes from users.

<?php
// Bad example - trusting user input
$userAge = $_POST['age'] ?? 0;
echo "In 10 years, you'll be " . ($userAge + 10) . " years old.";

// Better example - validating first
$userAge = (int) ($_POST['age'] ?? 0);
if ($userAge > 0 && $userAge < 120) {
    echo "In 10 years, you'll be " . ($userAge + 10) . " years old.";
} else {
    echo "Please enter a valid age.";
}
?>

Don't Display Raw User Data

Always escape user data before displaying it in HTML to prevent security issues.

<?php
$userName = 'Alice <script>alert("test")</script>';

// Wrong - could be dangerous
echo "Welcome, $userName!<br>";

// Right - safe for display
echo "Welcome, " . htmlspecialchars($userName) . "!<br>";
?>

Moving Forward

Input and output operations are fundamental skills you'll use in every PHP web application. The concepts you've learned here - form processing, input validation, and secure output - form the backbone of interactive web development.

In our next lesson, we'll explore string handling and manipulation. You'll learn how to process, format, and transform the text data that users submit through forms. These string manipulation skills will enhance your ability to create polished, user-friendly applications.

The foundation you've built with input/output handling will support everything else you learn in PHP. Take time to practice these concepts with simple forms before moving on to more complex topics. Understanding how data flows from users to your PHP scripts and back to the browser is crucial for building effective web applications.

← Previous Lesson: Personal Information Card Next Lesson: String Handling →