Using Hidden Fields to Save State

The script in Listing 10.7 has no way of knowing how many guesses a user has made. We can use a hidden field to keep track of this. The mark-up for a hidden field is similar to that of a text field. From the user's perspective, however, it has no output. A user cannot see a hidden field, unless he views the HTML source of the document that contains it. Listing 10.8 adds a hidden field to the number-guessing script and some PHP to work with it.

Listing 10.8 Saving State with a Hidden Field

 1: <?php
 2: $num_to_guess = 42;
 3: $message = "";
 4: if ( ! isset( $_POST['guess'] ) ) {
 5:    $message = "Welcome to the guessing machine!";
 6: } else if ( $_POST['guess'] > $num_to_guess ) {
 7:    $message = $_POST['guess']." is too big! Try a smaller number";
 8: } else if ( $_POST['guess'] < $num_to_guess ) {
 9:    $message = $_POST['guess']." is too small! Try a larger number";
10: } else { // must be equivalent
11:    $message = "Well done!";
12: }
13: $guess = (int) $_POST['guess'];
14: $num_tries = (int) $_POST['num_tries'];
15: $num_tries++;
16: ?>
17: <!DOCTYPE html PUBLIC
18:     "-//W3C//DTD XHTML 1.0 Strict//EN"
19:     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
20: <html>
21: <head>
22: <title>Listing 10.8 A PHP Number Guessing Script</title>
23: </head>
24: <body>
25: <div>
26: <h1>
27: <?php print $message ?>
28: </h1>
29: Guess number: <?php print $num_tries?><br/>
30:
31: <form method="post" action="<?php print $_SERVER['PHP_SELF']?>">
32: <p>
33: <input type="hidden" name="num_tries" value="<?php print $num_tries?>" />
34: Type your guess here: <input type="text" name="guess"
35:                         value="<?php print $guess?>"/>
36: </p>
37: </form>
38: </div>
39: </body>
40: </html>

The hidden field on line 33 is given the name "num_tries". We also use PHP to write its value. While we're at it, we do the same for the "guess" field on line 27 so that the user can always see his last guess. This technique is useful for scripts that parse user input. If we were to reject a form submission for some reason, we can at least allow our user to edit his previous query.

You Can Automate print() with Short Opening Tags

When you need to output the value of an expression to the browser, you can of course use print() or echo(). When you are entering PHP mode explicitly to output such a value, you can also take advantage of a special extension to PHP's short opening tags. If you add an equals (=) sign to the short PHP opening tag, the value contained will be printed to the browser. Note the following line:

<? print $test;?>
It is equivalent to

<?=$test?>
Remember, though, that the short open tag might be disabled on some sites and interfere with XML.

The variables $guess and $num_tries were extracted from the $_POST array on lines 13 and 14. We cast the values to integers and add one to $num_tries. The $num_tries variable is written to the value of the hidden field named 'num_tries' on line 33. Every time the user submits the form, the $_POST['num_tries'] element will have been incremented.

Be Careful with Client Stored Data

Don't entirely trust hidden fields. You don't know where their values have been! This isn't to say that you shouldn't use them; just be aware that your users are capable of viewing and amending source code should they want to cheat your scripts.

[ Team LiB ]