PHP Complete Form – Full Example with Validation, Sanitization, and Feedback

Build a secure, user-friendly PHP form with complete validation, input sanitization, and feedback mechanisms.

Introduction – Why a Complete PHP Form Example Is Essential

While learning individual PHP form concepts is crucial, integrating them into a full example is where the real-world application comes in. A complete form example brings together the HTML layout, server-side validation, input sanitization, and user feedback, creating a secure and reliable interaction between users and your website.

In this guide, you’ll learn:

• How to create a fully working contact/registration form
• How to validate and sanitize multiple fields
• How to display clear success/error messages
• Best practices for secure and maintainable forms

PHP Complete Form Example

HTML Form

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
  <label>Name: <input type="text" name="name"></label><br>
  <label>Email: <input type="email" name="email"></label><br>
  <label>Website: <input type="url" name="website"></label><br>
  <label>Message: <textarea name="message"></textarea></label><br>
  <input type="submit" value="Submit">
</form>

Uses POST method and submits to the same script ($_SERVER["PHP_SELF"]).
htmlspecialchars() prevents cross-site scripting (XSS) in the form action.

PHP Backend Logic

$name = $email = $website = $message = "";
$errors = [];

if ($_SERVER["REQUEST_METHOD"] === "POST") {
  $name = htmlspecialchars(trim($_POST["name"]));
  $email = filter_var(trim($_POST["email"]), FILTER_SANITIZE_EMAIL);
  $website = filter_var(trim($_POST["website"]), FILTER_SANITIZE_URL);
  $message = htmlspecialchars(trim($_POST["message"]));

  if (empty($name)) {
    $errors[] = "Name is required.";
  }

  if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    $errors[] = "Invalid email address.";
  }

  if (!empty($website) && !filter_var($website, FILTER_VALIDATE_URL)) {
    $errors[] = "Invalid website URL.";
  }

  if (empty($message)) {
    $errors[] = "Message cannot be empty.";
  }

  if (empty($errors)) {
    echo "<p style='color:green;'>Form submitted successfully!</p>";
    // You can proceed to store data or send email here
  } else {
    foreach ($errors as $err) {
      echo "<p style='color:red;'>$err</p>";
    }
  }
}

Summary – Recap & Next Steps

This full PHP form example demonstrates how to collect, sanitize, and validate multiple inputs while providing clear and actionable feedback to users. You now have a solid base to build forms for registration, contact pages, feedback, and more.

Key Takeaways:

• Use htmlspecialchars() and filter_var() for safety
• Use $_SERVER["REQUEST_METHOD"] to handle submissions
• Validate each field explicitly and provide helpful error messages
• Always sanitize input before validation or processing

Real-World Use Cases:
Contact forms, user signups, quote requests, newsletter subscriptions, comment forms

Frequently Asked Questions (FAQs)

Why use htmlspecialchars() in the form action?
It prevents users from injecting scripts via the URL into the action attribute, reducing XSS risks.

How do I keep submitted data in the form after an error?
Use PHP to echo the submitted values back into the form inputs:

<input type="text" name="name" value="<?php echo htmlspecialchars($name); ?>">

Should I sanitize before or after validation?
Sanitize first to remove potentially harmful input, then validate the cleaned data.

What should I do after successful validation?
Save to a database, send an email, or redirect to a thank-you page. Don’t forget to sanitize output before display or storage.

Can I validate dropdowns, checkboxes, or radio buttons this way too?
Yes. Use isset() or in_array() for those input types and validate against expected values.