best way to validate in PHP

[aHMAD_SQaLli]

Hello
sorry if the question is not proper / clear.
which one of these two ways is better to validate.

<?php
# using a variable
$query = $_POST['query'];
$ok = FALSE;
if ( $query = 'php' ){	$ok = TRUE;}
else {	$ok = FALSE;}
if ( $ok = TRUE; ){	// more code
}
# direct way
$query = $_POST['query'];
if ( $query = 'php' ){	// more code
}
else {	// more codes
}
?>

Thanks in advance.

[benanamen]

The second way. The first one is a <?= str_rot13('Pyhfgre Shpx') ?>

Edited November 19, 2015 by benanamen

[aHMAD_SQaLli]

Thanks

but, what is <?= str_rot13(Pyhfgre Shpx) ?>

I'm still a beginner.

[Jacques1]

How about you run the code and see for yourself?

 

Actually, none of your example will do what you expect, because you don't seem to understand the difference between the assignment operator “=” and the equality operator “==”. What you want is something like this:

<?php

if (isset($_POST['query']) && $_POST['query'] == 'php')
{
    // do this
}
else
{
    // do that
}

Note the isset() check. Without this, $_POST['query'] may not even exist and trigger an error.

[aHMAD_SQaLli]

Thanks Jacques1, I know about isset(), the code that I wrote is just for short example.

I like the code that you provided, short and effective, Thanks !

[mac_gyver]

since you are validating a post method form, your form processing code should first check, once, that a form has been submitted, and have all the form processing code inside of a single conditional statement. if your page will process more than one form, you would have a test for each possible form (test for a field name or a value that will always exist when the form is submitted and uniquely identifies the form) and only run the correct form processing code that matches the form that was submitted.

 

once you have tested that a/the-correct form has been submitted, all the text, textarea, password, and select form fields will exist. it's not necessary to individually test if they exist. in fact individually using an isset() for each form field tends to hide typo errors in the field names between the form and the form processing code. you would want to get and display/log (development/live server) php errors in this case or in the case where someone is submitting their own form data and is not submitting all the expected form fields. after you have determined that a/the-correct form has been submitted, only check-box and radio-button may or many not exist, depending on if they are checked/selected and would need to use isset() statements within the form processing code to detect if they exist or not.

 

since you will want to set up a unique validation error message for each different thing that can be wrong with the data for a form field and you will want a way to detect if there are validation errors at any point in your code, you can kill two birds with one stone by using an array to hold the validation error messages. you would add elements to the array, using the form field name as the array index and the message as the value. this same array can serve as the flag that there are validation errors by either testing that the whole array is empty() or not or you can test if individual elements/errors are set or not, using the field name index value with an isset() statement.

Edited November 19, 2015 by mac_gyver

[Jacques1]

I strongly disagree with the opinion that you can just assume that all fields are present. This is simply not the case.

 

For example: In a different PHP forum, I had the problem that I was suddenly unable to write messages. Since the server only displayed generic errors, nobody had any idea what's going on. I took me several days to figure out that the problem was caused by a missing form field which should have been rendered by JavaScript but was blocked by my NoScript plugin. That's a lot of trouble only because the server failed to properly check each form field.

 

It's also perfectly legitimate if the user decides to submit the data directly rather than through your form. I wonder why this is still seen as something “suspicious”. It's not.

 

So do check the presence of each field, and do emit proper error messages. Don't make any assumptions regarding the user input.

[mac_gyver]

since English is probably not your first language, you have been given some slack in the 'off' replies you give.
 
however, no one stated -
 

...  that you can just assume that all fields are present. This is simply not the case. ...

 
what was stated is, you don't need and shouldn't use an isset() statement to "individually test if they (the type of fields that were specifically mentioned) exist." when you translated that to your native language, you apparently got - 'don't validate each form field' and didn't get anything else that was stated or the context in which it was stated.
 
no one stated to not validate each expected form field. in fact, if you have read or correctly translated what was stated, someone mentioned and gave a method for -
 

since you will want to set up a unique validation error message for each different thing that can be wrong with the data for a form field and you will want a way to detect if there are validation errors at any point in your code, you can kill two birds with one stone by using an array to hold the validation error messages. you would add elements to the array, using the form field name as the array index and the message as the value. this same array can serve as the flag that there are validation errors by either testing that the whole array is empty() or not or you can test if individual elements/errors are set or not, using the field name index value with an isset() statement.

[ginerjm]

Gee - all this time I have thought very highly of Jacques' informative posts, even at the cost of sometimes being the target of his rants.  His English is quite succinct. 

 

When it comes to whose native language is English, I often wonder about Mac_gyver's use of it since he doesn't seem to have ever learned about proper structure of a paragraph which recommends sentences that begin with an uppercase letter to help make the reading easier. So much of his posts seems to be run-on text because of the fact that my older eyes don't see the little tiny periods that my font (or this site) uses.  Caps would make it much easier to read, as I said, and would represent proper composition of an English/American post.

 

As for the post in question - I think Jacques interpreted post #6 exactly as it was written and I agree whole-heartedly with what he was saying.

[benanamen]

Gee - all this time I have thought very highly of Jacques' informative posts, even at the cost of sometimes being the target of his rants.  His English is quite succinct. 

 

I have to agree. I had to read the response several times to make sure who the response was directed to. @Jaques1 has shown over and over again a VERY high degree of expert knowledge even in highly technical subjects, even to the point I have suspected he is or was an operative for the NSA, CIA, or MI6.

 

I have yet to find him wrong about anything and trust me, I have tried to challenge him a couple times only to find out he was absolutely right.

Edited November 19, 2015 by benanamen

[mac_gyver]

Don't confuse A writing style with what is being written. do you think the Angus Macgyver character would be concerned with capital letters on what he wrote out to solve a problem or would he be concerned with the result?

the methods i listed are a summery of the form processing practices that have been stated in countless replies on the forum.
 
and again, the following has nothing to do with what was stated, and can only be reasonably accounted for by a translation problem  -
 

It's also perfectly legitimate if the user decides to submit the data directly rather than through your form. I wonder why this is still seen as something “suspicious”. It's not.

 

no one stated that how the data gets submitted is an issue and this has nothing to do with any of the suggestions.

 

the OP did apparently get useful information out of the post since he gave it a like.

[mac_gyver]

I have to agree. I had to read the response several times to make sure who the response was directed to. @Jaques1 has shown over and over again a VERY high degree of expert knowledge even in highly technical subjects, even to the point I have suspected he is or was an operative for the NSA, CIA, or MI6.

 

 

 

no one is questioning his knowledge.

 

is anyone really reading WHAT they or anyone else is writing?

 

you know, it takes me a long time to compose what i write. it probably took me close to an hour to write post #6 above. i review and revise what i write several times to get the statements to covey the information that i am trying to get across and i tend to be more detailed than others in my explanations, for which i get a lot of thanks and likes.

 

i don't take the time to write out huge verbose replies because i want the typing practice, i write them to share relevant knowledge. it's too bad that others would use their time to point out 'problems' with something that someone has written, without having a clear understanding what they are replying to first.

[Jacques1]

Yeah. It's great that you want to share your knowledge, but sometimes you should just get to the point and answer the question instead of rambling on for an entire hour. Then we don't have to argue about how to interpret your text.

 

I really appreciate your expertise, but reading your replies is, excuse my French, fucking painful. And I don't think that's a language problem.

 

By the way, I was specifically referring to this statement:

 

once you have tested that a/the-correct form has been submitted, all the text, textarea, password, and select form fields will exist. it's not necessary to individually test if they exist.

 

Sounds pretty clear to me: You recommend against testing each individual field with isset(). And I strongly disagree with that.

 

My point is that incomplete submissions do happen and should be treated like any other input error (display a proper error message, emit a 400 code etc.). You cannot rely on your forms, because

• sometimes form fields get blocked by browser plugins (as in my example)
• experienced clients may send the data with cURL or a user script rather than submitting your form (which is perfectly legitimate)
• the client may have cached on old version of the form

All those cases should lead to a proper error message, not a pile of PHP warnings while you try to “validate” fields that don't even exist.

 

OK? If you still disagree, try to make technical arguments. My English sucks? Meh.

[benanamen]

 all the text, textarea, password, and select form fields will exist.

Now that t is clear exactly what is being talked about......

 

Unchecked check boxes will not exist at all so that statement fails in that instance as well.

 

After hours of painstaking translation of @Jaques1 "english", I was able to come up with something a programmer could understand.

echo base64_decode('U291bmRzIHByZXR0eSBjbGVhciB0byBtZTogWW91IHJlY29tbWVuZCBhZ2FpbnN0IHRlc3RpbmcgZWFjaCBpbmRpdmlkdWFsIGZpZWxkIHdpdGggaXNzZXQoKS4gQW5kIEkgc3Ryb25nbHkgZGlzYWdyZWUgd2l0aCB0aGF0Lg0KIA0KTXkgcG9pbnQgaXMgdGhhdCBpbmNvbXBsZXRlIHN1Ym1pc3Npb25zIGRvIGhhcHBlbiBhbmQgc2hvdWxkIGJlIHRyZWF0ZWQgbGlrZSBhbnkgb3RoZXIgaW5wdXQgZXJyb3IgKGRpc3BsYXkgYSBwcm9wZXIgZXJyb3IgbWVzc2FnZSwgZW1pdCBhIDQwMCBjb2RlIGV0Yy4pLiBZb3UgY2Fubm90IHJlbHkgb24geW91ciBmb3JtcywgYmVjYXVzZQ0Kc29tZXRpbWVzIGZvcm0gZmllbGRzIGdldCBibG9ja2VkIGJ5IGJyb3dzZXIgcGx1Z2lucyAoYXMgaW4gbXkgZXhhbXBsZSkNCmV4cGVyaWVuY2VkIGNsaWVudHMgbWF5IHNlbmQgdGhlIGRhdGEgd2l0aCBjVVJMIG9yIGEgdXNlciBzY3JpcHQgcmF0aGVyIHRoYW4gc3VibWl0dGluZyB5b3VyIGZvcm0gKHdoaWNoIGlzIHBlcmZlY3RseSBsZWdpdGltYXRlKQ0KdGhlIGNsaWVudCBtYXkgaGF2ZSBjYWNoZWQgb24gb2xkIHZlcnNpb24gb2YgdGhlIGZvcm0NCkFsbCB0aG9zZSBjYXNlcyBzaG91bGQgbGVhZCB0byBhIHByb3BlciBlcnJvciBtZXNzYWdlLCBub3QgYSBwaWxlIG9mIFBIUCB3YXJuaW5ncyB3aGlsZSB5b3UgdHJ5IHRvIOKAnHZhbGlkYXRl4oCdIGZpZWxkcyB0aGF0IGRvbid0IGV2ZW4gZXhpc3QuDQogDQpPSz8gSWYgeW91IHN0aWxsIGRpc2FncmVlLCB0cnkgdG8gbWFrZSB0ZWNobmljYWwgYXJndW1lbnRzLiBNeSBFbmdsaXNoIHN1Y2tzPyBNZWgu');

Edited November 19, 2015 by benanamen