Introduction

Quick Start

Basic Concepts

Understanding Routing

Intercepting Requests

Module Fundamentals

Database Operations

Templates

Helpers

Form Handling

Form Validation

Working With Files

Image Manipulation

Working With Dates & Times

Language Control

Security

Tips And Best Practices

Creating Forms

Every form needs an opening tag and a closing tag. In Trongate, two functions handle this:

form_open() - generates the opening <form> tag
form_close() - generates the closing </form> tag plus a hidden CSRF token

That's it. Two functions. Clean HTML. Automatic security.

Basic Usage

Here's the simplest possible form:

View File

echo form_open('tasks/submit');
echo form_input('task_name');
echo form_submit('submit', 'Save');
echo form_close();

Output:

HTML

<form action="https://yoursite.com/tasks/submit" method="post">
    <input type="text" name="task_name">
    <button type="submit" name="submit">Save</button>
    <input type="hidden" name="csrf_token" value="a7f3d9e2b1c4...">
</form>

Notice:

The action URL is automatically converted to an absolute URL
The method defaults to post
The CSRF token is automatically added

Setting the Form Action

The first parameter of form_open() is the submission URL. You have three options:

Option 1: Relative URL (most common)

View File

echo form_open('users/submit');
// Becomes: <form action="https://yoursite.com/users/submit" method="post">

Option 2: Absolute URL

View File

echo form_open('https://yoursite.com/users/submit');
// Stays as-is: <form action="https://yoursite.com/users/submit" method="post">

Option 3: Root-relative path

View File

echo form_open('/users/submit');
// Stays as-is: <form action="/users/submit" method="post">

Trongate automatically prepends BASE_URL to relative URLs. If you pass an absolute URL or a path starting with /, it leaves it alone.

Adding Custom Attributes

The second parameter is an optional array of HTML attributes:

View File

$attributes = [
    'id' => 'login-form',
    'class' => 'highlight-errors'
];

echo form_open('auth/login', $attributes);

Output:

HTML

<form action="https://yoursite.com/auth/login" method="post" id="login-form" class="highlight-errors">

Changing the HTTP Method

By default, forms use POST. To use GET:

View File

$attributes = ['method' => 'get'];
echo form_open('search/results', $attributes);

Output:

HTML

<form action="https://yoursite.com/search/results" method="get">

Note: GET forms still receive a CSRF token via form_close(). The Validation module only checks these tokens on POST requests, so there is no harm in including one on a GET form.

File Upload Forms

For forms that accept file uploads, use form_open_upload() instead of form_open(). It sets enctype="multipart/form-data" automatically:

View File

echo form_open_upload('products/upload_picture');

// Same output as form_open(), but with enctype added:
// <form action="https://yoursite.com/products/upload_picture" method="post" enctype="multipart/form-data">

Every other form helper works the same way. The only difference is the enctype attribute on the form tag. See the Working With Files chapter for the full file upload workflow.

Real-World Examples

Login Form

View File

echo form_open('auth/login');
echo form_label('Email');
$email_attr = ['placeholder' => 'Enter your email address', 'autocomplete' => 'email'];
echo form_email('email', '', $email_attr);
echo form_label('Password');
echo form_password('password', '', array('placeholder' => 'Enter password'));
echo form_submit('submit', 'Log In');
echo form_close();

Search Form (GET method)

View File

$attributes = [
    'method' => 'get',
    'class' => 'search-form'
];

echo form_open('products/search', $attributes);
echo form_search('q', '', ['placeholder' => 'Search products...']);
echo form_submit('submit', 'Search');
echo form_close();

Understanding form_close()

The form_close() function does two things:

Injects a hidden CSRF token field
Outputs the closing </form> tag

Here's what actually gets generated for POST forms:

HTML

<input type="hidden" name="csrf_token" value="a7f3d9e2b1c4f8a9d0e5b2c7...">
</form>

When the form submits, Trongate's Validation module automatically checks this token. If it's missing or invalid, the request gets blocked.

You never have to think about CSRF tokens. Just use form_close() and you're protected.

Working with Variables

In real applications, you'll usually build the form action dynamically:

View File

$update_id = segment(3, 'int');

if ($update_id > 0) {
    $form_location = 'tasks/submit/'.$update_id;
} else {
    $form_location = 'tasks/submit';
}

echo form_open($form_location);

Or pass it from the controller:

PHP

// In controller
$data['form_location'] = 'tasks/submit/'.$update_id;
$this->view('create', $data);

// In view
echo form_open($form_location);

Pro tip: Always use form_close() instead of manually writing </form>. The CSRF protection is automatic and worth it.

We're continually improving the Trongate documentation. If anything is incorrect, unclear, incomplete, or could be better, we'd genuinely appreciate your input.

Share your thoughts in the Documentation Feedback.

Leave Feedback About This Page