phreak3r Posted July 28, 2019 Share Posted July 28, 2019 How can I go about validating a form in PHP? I am trying to do so, but I am clueless as to how to structure it. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted July 28, 2019 Share Posted July 28, 2019 (edited) form processing code should - detect that a post method form was submitted. trim all input data (this can be done with one statement), so that you can detect if all white-space characters were entered. this is the only 'modification' of the form data that should be done. if there can be more than one form, you need some control logic (switch/case statement is one way) to detect a unique value (hidden field) to control which form processing code gets executed. the validation logic needs to store the validation errors in an array, with the array's main index being the field name (this index is used for 'dependent' validation steps to let you test if there is or is not already an error for a field and if you are outputting the error near the form field it applies to.) this array is also an error flag. if the array is empty, there are no errors, if the array is not empty, there are errors. if there are more than about 2-3 form fields, you should dynamically validate and process the form data, by defining a data structure (array or database table) that contains elements for each field that control what general purpose code does, such as defining 'required' fields, what type of validation rules to apply, and which type of processing code the field is used in. after the validation logic, if there are no errors, use the submitted data for whatever purpose it is intended for. after the data has been used, if there are no errors, perform a redirect to the exact same URL of the form processing code to cause a get request for the page. if there are errors, the code continues and re-displays the form, with any error messages (either all at once or with each one near the field it applies to), and repopulate the (appropriate) fields with the previously submitted data values (applying htmlentities() to help prevent cross site scripting), so that the user doesn't need to keep reentering the same data. Edited July 28, 2019 by mac_gyver Quote Link to comment Share on other sites More sharing options...
ginerjm Posted July 28, 2019 Share Posted July 28, 2019 Macgyver - great post. But - I don't get the purpose of #7. When I'm done I simply resend the screen back for another set of input or with the results of the logic process. Don't understand your need for a get request. Quote Link to comment Share on other sites More sharing options...
benanamen Posted July 28, 2019 Share Posted July 28, 2019 @gingerjm, it is part of PRG. Post, Redirect, Get Quote Link to comment Share on other sites More sharing options...
ginerjm Posted July 28, 2019 Share Posted July 28, 2019 That too is news to me. Quote Link to comment Share on other sites More sharing options...
phreak3r Posted July 28, 2019 Author Share Posted July 28, 2019 Never sanitize input, correct? I had asked the folks over at #php@freenode about that and they suggested I not sanitize input data. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted July 29, 2019 Share Posted July 29, 2019 Never sanitize input data? Why on earth would you NOT do that? Hackers can put anything into an input field and your script has to be prepared to handle it or face the consequences. The rule might be 'never alter input'. But for sure you have to sanitize it to avoid damage to your database or whatever your script is doing with the data. Quote Link to comment Share on other sites More sharing options...
benanamen Posted July 29, 2019 Share Posted July 29, 2019 1 hour ago, ginerjm said: for sure you have to sanitize it to avoid damage to your database or whatever your script is doing with the data. That's what prepared statements are for. Although, you would VALIDATE the data. Quote Link to comment Share on other sites More sharing options...
phreak3r Posted August 2, 2019 Author Share Posted August 2, 2019 On 7/29/2019 at 1:41 PM, ginerjm said: Never sanitize input data? Why on earth would you NOT do that? Hackers can put anything into an input field and your script has to be prepared to handle it or face the consequences. The rule might be 'never alter input'. But for sure you have to sanitize it to avoid damage to your database or whatever your script is doing with the data. How would you sanitize input without changing or mangling it? Quote Link to comment Share on other sites More sharing options...
ginerjm Posted August 4, 2019 Share Posted August 4, 2019 One thing is to verify that the input value has the content that you expect. Another is to use prepared queries that will remove any threats from using user inputs. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.