How to submit form to controller or model in mvc?

I'm trying to apply a simple MVC pattern to my current website without any frameworks. Since i haven't really gotten into oop yet im still using procedural at the moment.

I have a simple login form (view)

<form action="controller/login.php" method="Post">
<input type="text" name="username" placeholder="Username" />
<input type="text" name="password" placeholder="Password" />
<input type="submit" value="Sign in" />

this form will submit to the controller for login form. Controller will now check if both fields have inputs and "cleanse" more or less the input

$username = $_POST['username'];
$password = $_POST['password'];
$username_escape = mysqli_real_escape_string($connect, $username);
$password_escape = mysqli_real_escape_string($connect, $password);


this is a really simple check right now however i was now wondering should i include controller into model and redirect to model from controller or form submit it at first place and have controller included.


$query = mysqli_query($connect, "INSERT into DB_table (username, password)
VALUES($username_escape, $password_escape)");
Last updated:11/10/2014 12:55:38 AM

1 Answers

Allen Scott
Allen Scott

It's good that you're trying to separate your concerns, but MVC is a design pattern based on top of OOP principles.

OOP works with objects, and those objects are defined by a class, which is like a blueprint.

So in this example, you'd want everything to go through the controller, then depending on whether you want to save out, you'd want to call the model.


class LoginController
    public function indexAction()
        $username = $_POST['username'];
        $password = $_POST['password'];
        if(!is_null($username) AND !is_null($password))
             $user = new \Service\User();
             $credentialsAreValid = $user->checkCredentials($username, $password);
                 header("Redirect: Somewhere");
        require_once __DIR__."/../templates/login.php";
class User
    public function checkCredentials($username, $password)
         $dsn = "mysql:host=localhost;dbname=db";
         $dbuser = "root";
         $dbpass = "pass";
         $db = new PDO($dsn, $dbuser, $dbpass);
         $db->prepare("SELECT * FROM user WHERE username = ? AND password = ?");
         $db->bindValue(1, $username);
         $db->bindValue(2, $password);
         $res = $db->execute();
         if(count($res->fetchAll()>0) return true;
         return false;

As you can see the logic is separated into a service, and is only called if it is needed. We've also used pdo to prevent SQL injections, (though shouldn't really be creating objects in here).

Id suggest you look into autoloading, and have a play with a framework like Silex as it will teach you these principles.