Trongate PHP Framework Docs
Introduction
Quick Start
Basic Concepts
Understanding Routing
Intercepting Requests
Module Fundamentals
Database Operations
Templates
Helpers
Form Handling
Form Validation
Working With Files
Image Manipulation
Working With Dates & Times
Language Control
Security
Tips And Best Practices

Creating Forms

Every form needs an opening tag and a closing tag. In Trongate, two functions handle this:

  • - generates the opening <form> tag
  • - generates the closing </form> tag plus a hidden CSRF token

That's it. Two functions. Clean HTML. Automatic security.

Basic Usage

Here's the simplest possible form:

Output:

Notice:

  • The action URL is automatically converted to an absolute URL
  • The method defaults to post
  • The CSRF token is automatically added

Setting the Form Action

The first parameter of is the submission URL. You have three options:

Option 1: Relative URL (most common)

Option 2: Absolute URL

Option 3: Root-relative path

Trongate automatically prepends BASE_URL to relative URLs. If you pass an absolute URL or a path starting with /, it leaves it alone.

Adding Custom Attributes

The second parameter is an optional array of HTML attributes:

Output:

Changing the HTTP Method

By default, forms use POST. To use GET:

Output:

Note: GET forms still receive a CSRF token via form_close(). The Validation module only checks these tokens on POST requests, so there is no harm in including one on a GET form.

File Upload Forms

For forms that accept file uploads, use instead of . It sets enctype="multipart/form-data" automatically:

Every other form helper works the same way. The only difference is the enctype attribute on the form tag. See the Working With Files chapter for the full file upload workflow.

Real-World Examples

Login Form

Search Form (GET method)

Understanding form_close()

The function does two things:

  1. Injects a hidden CSRF token field
  2. Outputs the closing </form> tag

Here's what actually gets generated for POST forms:

When the form submits, Trongate's Validation module automatically checks this token. If it's missing or invalid, the request gets blocked.

You never have to think about CSRF tokens. Just use form_close() and you're protected.

Working with Variables

In real applications, you'll usually build the form action dynamically:

Or pass it from the controller:

Pro tip: Always use instead of manually writing </form>. The CSRF protection is automatic and worth it.

We're continually improving the Trongate documentation. If anything is incorrect, unclear, incomplete, or could be better, we'd genuinely appreciate your input.

Share your thoughts in the Documentation Feedback.

Leave Feedback About This Page