Form Validation

[phreak3r]

How can I go about validating a form in PHP? I am trying to do so, but I am clueless as to how to structure it.

[mac_gyver]

form processing code should -

1. detect that a post method form was submitted.
2. trim all input data (this can be done with one statement), so that you can detect if all white-space characters were entered. this is the only 'modification' of the form data that should be done.
3. if there can be more than one form, you need some control logic (switch/case statement is one way) to detect a unique value (hidden field) to control which form processing code gets executed.
4. the validation logic needs to store the validation errors in an array, with the array's main index being the field name (this index is used for 'dependent' validation steps to let you test if there is or is not already an error for a field and if you are outputting the error near the form field it applies to.) this array is also an error flag. if the array is empty, there are no errors, if the array is not empty, there are errors.
5. if there are more than about 2-3 form fields, you should dynamically validate and process the form data, by defining a data structure (array or database table) that contains elements for each field that control what general purpose code does, such as defining 'required' fields, what type of validation rules to apply, and which type of processing code the field is used in.
6. after the validation logic, if there are no errors, use the submitted data for whatever purpose it is intended for.
7. after the data has been used, if there are no errors, perform a redirect to the exact same URL of the form processing code to cause a get request for the page.
8. if there are errors, the code continues and re-displays the form, with any error messages (either all at once or with each one near the field it applies to), and repopulate the (appropriate) fields with the previously submitted data values (applying htmlentities() to help prevent cross site scripting), so that the user doesn't need to keep reentering the same data.

Edited July 28, 2019 by mac_gyver

[ginerjm]

Macgyver - great post.  But - I don't get the purpose of #7.  When I'm done I simply resend the screen back for another set of input or with the results of the logic process.  Don't understand your  need for a get request.

[benanamen]

@gingerjm, it is part of PRG. Post, Redirect, Get

 

 

[ginerjm]

That too is news to me.

[phreak3r]

Never sanitize input, correct? I had asked the folks over at #php@freenode about that and they suggested I not sanitize input data.

[ginerjm]

Never sanitize input data?  Why on earth would you NOT do that?  Hackers can put anything into an input field and your script has to be prepared to handle it or face the consequences.  The rule might be 'never alter input'.  But for sure you have to sanitize it to avoid damage to your database or whatever your script is doing with the data.

[benanamen]

1 hour ago, ginerjm said:

for sure you have to sanitize it to avoid damage to your database or whatever your script is doing with the data. 

That's what prepared statements are for. Although, you would VALIDATE the data.

[phreak3r]

On 7/29/2019 at 1:41 PM, ginerjm said:

Never sanitize input data?  Why on earth would you NOT do that?  Hackers can put anything into an input field and your script has to be prepared to handle it or face the consequences.  The rule might be 'never alter input'.  But for sure you have to sanitize it to avoid damage to your database or whatever your script is doing with the data.

How would you sanitize input without changing or mangling it?

[ginerjm]

One thing is to verify that the input value has the content that you expect.  Another is to use prepared queries that will remove any threats from using user inputs.