Forms are usually combined with programs written in various
programming language to allow
developers to create dynamic
web sites. The most popular languages include both client-side and/or server-side languages. Although any programming language can be used on the server to process a form's data, the most commonly used languages are
scripting languages, which tend to have stronger
string handling functionality than programming languages such as C, and also have automatic
memory management which helps to prevent
buffer overrun attacks.
Client-side The
de facto client-side scripting language for web sites is
JavaScript. Using JavaScript on the
Document Object Model (DOM) leads to the method of
Dynamic HTML that allows dynamic creation and modification of a web page within the browser. While client-side languages used in conjunction with forms are limited, they often can serve to do pre-
validation of the form data and/or to prepare the form data to send to a server-side program. This usage is being replaced, however, by
HTML5's new input field types and required attribute.
Server-side execution Server-side code can do a vast assortment of tasks to create dynamic web sites that, for technical or security reasons, client-side code cannot — from
authenticating a
login, to retrieving and storing data in a
database, to
spell checking, to sending
e-mail. A significant advantage to server-side over client-side execution is the concentration of functionality onto the server rather than relying on different
web browsers to implement various functions in consistent,
standardized ways. In addition, processing forms on a server often results in increased security if server-side execution is designed not to trust the data supplied by the client and includes such techniques as
HTML sanitization. One disadvantage to server side code is
scalability—server side processing for all users occurs on the server, while client side processing occurs on individual client computers.
Interpreted languages Some of the
interpreted languages commonly used to design interactive forms in web development are
PHP,
Python,
Ruby,
Perl,
JSP,
Adobe ColdFusion and some of the compiled languages commonly used are
Java and
C# with
ASP.NET.
PHP PHP is one very common language used for server-side "programming" and is one of the few languages created specifically for
web programming. To use PHP with an HTML form, the URL of the PHP script is specified in the action attribute of the form tag. The target PHP file then accesses the data passed by the form through PHP's $_POST or $_GET variables, depending on the value of the method attribute used in the form. Here is a basic form handler PHP script that will display the contents of the input field on the page: '''''' Form Name: Submit '''''' Output The sample code above uses PHP's filter_input() function to sanitize the user's input before inserting it onto the page. Simply printing (echoing) user input to the browser without checking it first is something that should be avoided in secure forms processors: if a user entered the JavaScript code alert(1) into the field, the browser would execute the script on the page, just as if it had been coded by the developer; malicious code could be executed this way. filter_input() was introduced in PHP 5.2. Users of earlier PHP versions could use the htmlspecialchars() function, or
regular expressions to sanitize the user input before doing anything with it.
Perl programming language Perl is another language often used for
web development. Perl scripts are traditionally used as
Common Gateway Interface applications (CGIs). In fact, Perl is such a common way to write CGIs that the two are often confused. CGIs may be written in other languages than Perl (compatibility with multiple languages is a design goal of the CGI protocol) and there are other ways to make Perl scripts interoperate with a
web server than using CGI (such as
FastCGI,
Plack or
Apache's
mod_perl). Perl CGIs were once a very common way to write
web applications. However, many web hosts today effectively only support PHP, and developers of web applications often seek compatibility with them. A modern Perl 5 CGI using the CGI module with a form similar to the one above might look like: '''''' • !/usr/bin/env perl use strict; use CGI qw(:standard); my $name = param("first_name"); print header; print html( body( p("Hello, $name!"), ), );
Form-to-email scripts Among the simplest and most commonly needed types of server-side script is that which simply emails the contents of a submitted form. This kind of script is frequently exploited by
spammers, however, and many of the most popular form-to-email scripts in use are vulnerable to hijacking for the purpose of sending spam emails. One of the most popular scripts of this type was "FormMail.pl" made by
Matt's Script Archive. Today, this script is no longer widely used in new development due to lack of updates, security concerns, and difficulty of configuration.
Form builders Some companies offer forms as a
hosted service. Usually, these companies give some kind of visual editor, reporting tools and infrastructure to create and host the forms, that can be embedded into webpages.
Web hosting companies provide templates to their clients as an add-on service. Other form hosting services offer free contact forms that a user can install on their own website by pasting the service's code into the site's HTML. ==History==