Introduction
Basic Concepts
Understanding Routing
Intercepting Requests
Module Fundamentals
Database Operations
Templates
Helpers
Form Handling
- Form Handling Fundamentals
- Creating Forms
- Form Input Fields
- Textareas and Dropdowns
- Checkboxes and Radio Buttons
- Form Labels
- Retrieving Form Data
- Form Validation Basics
- Displaying Validation Errors
- The Create/Update Pattern
- CSRF Protection
- Custom Validation Rules
- Form Helper Reference
- Validation Rules Quick Reference
- Best Practices For Handling Data
Working With Files
Image Manipulation
Working With Dates & Times
Authorization & Authentication
Creating Forms
Every form needs an opening tag and a closing tag. In Trongate, two functions handle this:
- form_open() - generates the opening
<form>tag - form_close() - generates the closing
</form>tag plus a hidden CSRF token
That's it. Two functions. Clean HTML. Automatic security.
Basic Usage
Here's the simplest possible form:
Output:
Notice:
- The action URL is automatically converted to an absolute URL
- The method defaults to
post - The CSRF token is automatically added
Setting the Form Action
The first parameter of form_open() is the submission URL. You have three options:
Option 1: Relative URL (most common)
Option 2: Absolute URL
Option 3: Root-relative path
Trongate automatically prepends BASE_URL to relative URLs. If you pass an absolute URL or a path starting with /, it leaves it alone.
Adding Custom Attributes
The second parameter is an optional array of HTML attributes:
Output:
Changing the HTTP Method
By default, forms use POST. To use GET:
Output:
Important: Forms using GET will not include CSRF tokens. The form_close() function only adds tokens for POST forms.
Real-World Examples
Login Form
Search Form (GET method)
Understanding form_close()
The form_close() function does two things:
- Outputs the closing
</form>tag - Injects a hidden CSRF token field (for
POSTforms only)
Here's what actually gets generated for POST forms:
When the form submits, Trongate's Validation module automatically checks this token. If it's missing or invalid, the request gets blocked.
You never have to think about CSRF tokens. Just use form_close() and you're protected.
Working with Variables
In real applications, you'll usually build the form action dynamically:
Or pass it from the controller:
Pro tip: Always use form_close() instead of manually writing </form>. The CSRF protection is automatic and worth it.