5.x form.inc drupal_prepare_form($form_id, &$form)
6.x form.inc drupal_prepare_form($form_id, &$form, &$form_state)
7.x form.inc drupal_prepare_form($form_id, &$form, &$form_state)

Prepares a structured form array by adding required elements, executing any hook_form_alter functions, and optionally inserting a validation token to prevent tampering.


$form_id: A unique string identifying the form for validation, submission, theming, and hook_form_alter functions.

$form: An associative array containing the structure of the form.

$form_state: A keyed array containing the current state of the form. Passed in here so that hook_form_alter() calls can use it, as well.

Related topics

4 calls to drupal_prepare_form()
drupal_execute in includes/form.inc
Retrieves, populates, and processes a form.
drupal_get_form in includes/form.inc
Retrieves a form from a constructor function, or from the cache if the form was built in a previous page-load. The form is then passed on for processing, after and rendered for display if necessary.
drupal_rebuild_form in includes/form.inc
Retrieves a form, caches it and processes it with an empty $_POST.
openid_authentication in modules/openid/openid.module
Authenticate a user or attempt registration.


includes/form.inc, line 520


function drupal_prepare_form($form_id, &$form, &$form_state) {
  global $user;

  $form['#type'] = 'form';
  $form['#programmed'] = isset($form['#post']);

  if (isset($form['#build_id'])) {
    $form['form_build_id'] = array(
      '#type' => 'hidden',
      '#value' => $form['#build_id'],
      '#id' => $form['#build_id'],
      '#name' => 'form_build_id',

  // Add a token, based on either #token or form_id, to any form displayed to
  // authenticated users. This ensures that any submitted form was actually
  // requested previously by the user and protects against cross site request
  // forgeries.
  if (isset($form['#token'])) {
    if ($form['#token'] === FALSE || $user->uid == 0 || $form['#programmed']) {
    else {
      $form['form_token'] = array('#type' => 'token', '#default_value' => drupal_get_token($form['#token']));
  else if (isset($user->uid) && $user->uid && !$form['#programmed']) {
    $form['#token'] = $form_id;
    $form['form_token'] = array(
      '#id' => form_clean_id('edit-' . $form_id . '-form-token'),
      '#type' => 'token',
      '#default_value' => drupal_get_token($form['#token']),

  if (isset($form_id)) {
    $form['form_id'] = array(
      '#type' => 'hidden',
      '#value' => $form_id,
      '#id' => form_clean_id("edit-$form_id"),
  if (!isset($form['#id'])) {
    $form['#id'] = form_clean_id($form_id);

  $form += _element_info('form');

  if (!isset($form['#validate'])) {
    if (function_exists($form_id . '_validate')) {
      $form['#validate'] = array($form_id . '_validate');

  if (!isset($form['#submit'])) {
    if (function_exists($form_id . '_submit')) {
      // We set submit here so that it can be altered.
      $form['#submit'] = array($form_id . '_submit');

  // Normally, we would call drupal_alter($form_id, $form, $form_state).
  // However, drupal_alter() normally supports just one byref parameter. Using
  // the __drupal_alter_by_ref key, we can store any additional parameters
  // that need to be altered, and they'll be split out into additional params
  // for the hook_form_alter() implementations.
  // @todo: Remove this in Drupal 7.
  $data = &$form;
  $data['__drupal_alter_by_ref'] = array(&$form_state);
  drupal_alter('form_' . $form_id, $data);

  // __drupal_alter_by_ref is unset in the drupal_alter() function, we need
  // to repopulate it to ensure both calls get the data.
  $data['__drupal_alter_by_ref'] = array(&$form_state);
  drupal_alter('form', $data, $form_id);