Using a Form With Variables as Part of a Function

Could the form below be part of a function? I am wondering if it might not be able to be part of a function since it has variables.

Thanks in advance,

John

echo '<form  action="http://www...com/sandbox/comments/comments2.php" method="post"> 
    <input type="hidden" value="'.$_SESSION['loginid'].'" name="uid">
    <input type="hidden" value="'.$submissionid.'" name="submissionid">  
    <input type="hidden" value="'.$submission.'" name="submission">
    <input type="hidden" value="'.$url.'" name="url">
    <input type="hidden" value="'.$submittor.'" name="submittor">
    <input type="hidden" value="'.$submissiondate.'" name="submissiondate">
    <input type="hidden" value="'.$countcomments.'" name="countcomments">
    <input type="hidden" value="'.$dispurl.'" name="dispurl">



    <label class="addacomment" for="title">Add a comment:</label>

    <textarea class="commentsubfield" name="comment" type="comment" id="comment" maxlength="1开发者_开发知识库000"></textarea>  

    <div class="commentsubbutton"><input name="submit" type="submit" value="Submit"></div> 
</form>
'; 

You can use that code in a function provided that:

• You pass those parameters ($submissionid, $submission etc) to the function

or

• You make them global (you shouldn't do this without strong reason)

There's three basic choices for passing form arguments into a function:

1. massive argument list
2. stuff the values into an array and passing that in
3. global variables

Generally only #2 will keep your hair from getting yanked out (by yourself or other people). The basic setup would go something like:

function show_form($args) {
    echo <<<EOL
<form action="yada yada">
    <input type="..." name="field1" values="{$args['field1']}" />
    <input type="..." name="field2" values="{$args['field2']}" />
    etc...
</form>
EOL;
}

$form_args = array(
    'field1' => $field1,
    'field2' => $field2,
    etc...
)

show_form($form_args);

Note that I'm using a HEREDOC to generate the form text. It's far easier to deal with than building a string with concatenation. It saves you from having to worry about escaping quotes.

If this form deals with potentially hostile users, you'll want to pass all the values through htmlspecialchars() beforehand, to prevent some HTML injection attacks. You can do that within the form building function, or while you're building the argument array.

comment followup:

In this example, you're building array called "form_args" to store all the field data of your form. I'm just calling them "field1", "field2" etc... You pass those $form_args array as a parmeter to the show_form() function. Within the function, it accesses that data via its own private little "$args" copy of the array.

Within the form, the notation {$args['field1']} simply means "Look in the $args array for an entry whose key is 'field1', and insert its matching value into the HTML being generated here. The braces ({}) aren't strictly necessary in this case, but could be considered good practice to use anyways. There's more details in the PHP online manual's Arrays entry