A webform, web form or HTML form on a web page allows a user to enter data that is sent to a server for processing. Forms can resemble paper or database forms because web users fill out the forms using checkboxes, radio buttons, or text fields. For example, forms can be used to enter shipping or credit card data to order a product, or can be used to retrieve search results from a search engine.
Forms are enclosed in the HTML
<form> element. This element specifies the communication endpoint the data entered into the form should be submitted to, and the method of submitting the data,
Forms can be made up of standard graphical user interface elements:
<text>-- a simple text box that allows input of a single line of text.
<email>- a type of
<text>that requires a partially validated email address
<number>- a type of
<text>that requires a number
<password>-- similar to
<text>, it is used for security purposes, in which the characters typed in are invisible or replaced by symbols such as *
<radio>-- a radio button
<file>-- a file select control for uploading a file
<reset>-- a reset button that, when activated, tells the browser to restore the values to their initial values.
<submit>-- a button that tells the browser to take action on the form (typically to send it to a server)
<textarea>-- much like the
<text>input field except a
<textarea>allows for multiple rows of data to be shown and entered
<select>-- a drop-down list that displays a list of items a user can select from
The sample image on the right shows most of these elements:
HTML 4 introduced the
<label> tag, which is intended to represent a caption in a user interface, and can be associated with a specific form control by specifying the
id attribute of the control in the label tag's
for attribute. This allows labels to stay with their elements when a window is resized and to allow more desktop-like functionality (e.g. clicking a radio button or checkbox's label will activate the associated input element).
HTML 5 introduces a number of input tags that can be represented by other interface elements. Some are based upon text input fields and are intended to input and validate specific common data. These include
<email> to enter email addresses,
<tel> for telephone numbers,
<date> input type displays a calendar from which the user can select a date or date range. And the
color input type can be represented as an input text simply checking the value entered is a correct hexadecimal representation of a color, according to the specification, or a color picker widget (the latter being the solution used in most browsers which support this attribute).
When data that has been entered into HTML forms is submitted, the names and values in the form elements are encoded and sent to the server in an HTTP request message using GET or POST. Historically, an email transport was also used. The default MIME type (internet media type), application/x-www-form-urlencoded, is based on a very early version of the general URI percent-encoding rules, with a number of modifications such as newline normalization and replacing spaces with "
+" instead of "
%20". Another possible encoding, Internet media type multipart/form-data, is also available and is common for POST-based file submissions.
Forms are usually combined with programs written in various programming language to allow developers to create dynamic web sites. The most popular languages include both client-side and/or server-side languages.
Although any programming language can be used on the server to process a form's data, the most commonly used languages are scripting languages, which tend to have stronger string handling functionality than programming languages such as C, and also have automatic memory management which helps to prevent buffer overrun attacks.
While client-side languages used in conjunction with forms are limited, they often can serve to do pre-validation of the form data and/or to prepare the form data to send to a server-side program. This usage is being replaced, however, by HTML5's new
input field types and
Server-side code can do a vast assortment of tasks to create dynamic web sites that, for technical or security reasons, client-side code cannot — from authenticating a login, to retrieving and storing data in a database, to spell checking, to sending e-mail. A significant advantage to server-side over client-side execution is the concentration of functionality onto the server rather than relying on different web browsers to implement various functions in consistent, standardized ways. In addition, processing forms on a server often results in increased security if server-side execution is designed not to trust the data supplied by the client and includes such techniques as HTML sanitization. One disadvantage to server side code is scalability—server side processing for all users occurs on the server, while client side processing occurs on individual client computers.
Some of the interpreted languages commonly used to design interactive forms in web development are PHP, Python, Ruby, Perl, JSP, Adobe ColdFusion and some of the compiled languages commonly used are Java and C# with ASP.NET.
To use PHP with an HTML form, the URL of the PHP script is specified in the
action attribute of the form tag. The target PHP file then accesses the data passed by the form through PHP's
$_GET variables, depending on the value of the
method attribute used in the form. Here is a basic form handler PHP script that will display the contents of the firstname input field on the page:
<!DOCTYPE html> <html> <head> <title>Form</title> </head> <body> <form action="form_handler.php"> Name: <input name="firstname" type="text"> <input type="submit" value="Submit"> </form> </body> </html>
<!DOCTYPE html> <html> <head> <title>Output</title> </head> <body> <?php // This will print whatever the user entered into the form.html page. $name = filter_input(INPUT_GET, 'firstname', FILTER_SANITIZE_STRING); echo "Hello, ".$name."!"; ?> </body> </html>
The sample code above uses PHP's
<script>alert(1)</script> into the firstname field, the browser would execute the script on the form_handler.php page, just as if it had been coded by the developer; malicious code could be executed this way.
filter_input was introduced in PHP 5.2. Users of earlier PHP versions could use the
htmlspecialchars function, or regular expressions to sanitize the user input before doing anything with it.
Perl is another language often used for web development. Perl scripts are traditionally used as Common Gateway Interface applications (CGIs). In fact, Perl is such a common way to write CGIs that the two are often confused. CGIs may be written in other languages than Perl (compatibility with multiple languages is a design goal of the CGI protocol) and there are other ways to make Perl scripts interoperate with a web server than using CGI (such as FastCGI, Plack or Apache's mod_perl).
Perl CGIs were once a very common way to write web applications. However, many web hosts today effectively only support PHP, and developers of web applications often seek compatibility with them.
A modern Perl 5 CGI using the CGI module with a form similar to the one above might look like:
#!/usr/bin/env perl use strict; use CGI qw(:standard); my $name = param('firstname'); print header; print html( body( p("Hello, $name!"), ), );
Among the simplest and most commonly needed types of server-side script is that which simply emails the contents of a submitted form. This kind of script is frequently exploited by spammers, however, and many of the most popular form-to-email scripts in use are vulnerable to hijacking for the purpose of sending spam emails. One of the most popular scripts of this type was "FormMail.pl" made by Matt's Script Archive. Today, this script is no longer widely used in new development due to lack of updates, security concerns, and difficulty of configuration.
Some companies offer forms as a hosted service. Usually, these companies give some kind of visual editor, reporting tools and infrastructure to create and host the forms, that can be embedded into webpages. Web hosting companies provide templates to their clients as an add-on service. Other form hosting services offer free contact forms that a user can install on their own website by pasting the service's code into the site's HTML.