form_close()

function form_close(): string

Description

Closes an HTML form. Always use this function instead of manually writing </form>. It automatically adds a CSRF token for security and handles validation error highlighting.

Parameters

This function does not accept any parameters.

Return Value

Type Description
string The closing </form> tag with hidden CSRF token and optional error highlighting JavaScript.

Example Usage

Imagine that you're building a simple task manager application, within a module named 'tasks'.

Your controller file, Tasks.php could have a method named create() which gets invoked when a user wishes to create a new task.

PHP
<?php
class Tasks extends Trongate {

    /**
     * Display a webpage with a form for creating a task record.
     *
     * @return void
     */
    public function create(): void {

        $data = [
            'headline' => 'Create New Task Record',
            'cancel_url' => BASE_URL.'tasks/manage',
            'form_location' => BASE_URL.'tasks/submit',
            'view_file' => 'create'
        ];

        $this->templates->admin($data);
    }

}

Inside the Tasks module, your create.php view file could have the following code:

View File
<h1><?= $headline ?></h1>
<?= validation_errors() ?>
<div class="card-body">
    <?php
    echo form_open($form_location);
    echo form_label('Task Title');
    echo form_input('task_title');
    echo form_label('Task Description');
    echo form_textarea('task_description');
    
    echo '<div class="text-center">';
    echo anchor($cancel_url, 'Cancel', array('class' => 'button alt'));
    echo form_submit('submit', 'Submit');
    echo '</div>';
    
    echo form_close();
    ?>
</div>

This generates:

HTML
<form action="https://yoursite.com/tasks/submit" method="post">
<!-- form fields here -->
<input type="hidden" name="csrf_token" value="random-token-here">
</form>

The code samples above are for demonstration purposes only. In a real-use case, you'd almost certainly need to add additional features such as security, pre-population of form fields, the ability to edit existing records and more.

How It Works

  1. When you call form_close(), it adds a hidden CSRF token to your form
  2. When the form is submitted, the Validation::run() method checks this token automatically
  3. If the token is missing or invalid, the submission is rejected

In the Tasks controller:

PHP
public function submit(): void {
    
    $submit = post('submit', true);

    if ($submit === 'Submit') {
        $this->validation->set_rules('task_title', 'task title', 'required|min_length[2]|max_length[255]');
        $this->validation->set_rules('task_description', 'task description', 'required|min_length[2]');

        // CSRF validation happens automatically here ↓
        $result = $this->validation->run();

        if ($result === true) {
            // Process the form...
        } else {
            $this->create(); // Redisplay form with errors
        }
    }
}

Automatic Error Highlighting

In addition to CSRF protection, form_close() also handles automatic validation error highlighting when used with forms that have the highlight-errors class.

When validation errors exist in the session, form_close() automatically:

  1. Injects errors as JavaScript (window.trongateValidationErrors)
  2. Injects highlighting script that adds the form-field-validation-error class to fields with errors
  3. Clears validation errors from the session

Example form with error highlighting:

View File
<?php
echo form_open($form_location, ['class' => 'highlight-errors']);
echo form_label('Email');
echo form_input('email', $email);
echo form_label('Password');
echo form_password('password');
echo form_submit('submit', 'Login');
echo form_close(); // Adds CSRF token + injects error highlighting if errors exist
?>

The error highlighting feature works automatically when forms have the highlight-errors class. Default styling is provided in trongate.css. For more details, see the Displaying Validation Errors documentation.

Important Notes

  • Always use form_close() to close forms opened with form_open()
  • GET forms (like search forms) don't need CSRF protection - but you should still use form_close() for consistency
  • The CSRF token is validated automatically by $this->validation->run()
  • When validation errors exist in the session, form_close() injects error highlighting JavaScript and clears the errors
  • Error highlighting only works when the form has the highlight-errors class

Best Practice Pattern

Follow this simple pattern in your views:

PHP
echo form_open($form_location, ['class' => 'highlight-errors']);
// ... your form fields ...
echo form_submit('submit', 'Submit');
echo form_close(); // ← This is required