Forms Engine: From Zero to File Uploads

Glass started without a forms engine. Then we needed contact forms. Then conditional logic. Then multi-step. Then file uploads. Then Stripe payment fields. It escalated.

The Form Builder

Forms in Glass are a section type, you add a form section to any Infinite page and configure it in the builder. Field types: text, email, phone, textarea, select, checkbox, radio, date, file, hidden, and (with Stripe Pro active) payment. Each field has validation rules, placeholder text, conditional visibility, and custom CSS classes.

File Uploads

File uploads were the hardest part. The upload handler validates file types, enforces size limits, generates unique filenames, and stores files in a protected uploads directory. Files are linked to the form submission record so they can be downloaded from the admin. The frontend uses a drag-and-drop zone with progress indicators.

Actions on Submit

When a form is submitted, four action types can fire: email notification to a configured recipient, database storage in the form entries table, webhook POST (non-blocking wp_remote_post with blocking => false), and redirect after success. All actions are configurable per form.

Security

Every form submission hits check_ajax_referer(). A honeypot field catches bots. All fields are sanitised through the appropriate WordPress function, sanitize_text_field(), sanitize_email(), sanitize_textarea_field(). File upload validation happens server-side regardless of what the client claims the file type is.