Jump to content
phreak3r

Form Validation

Recommended Posts

How can I go about validating a form in PHP? I am trying to do so, but I am clueless as to how to structure it.

Share this post


Link to post
Share on other sites
Posted (edited)

form processing code should -

  1. detect that a post method form was submitted.
  2. trim all input data (this can be done with one statement), so that you can detect if all white-space characters were entered. this is the only 'modification' of the form data that should be done.
  3. if there can be more than one form, you need some control logic (switch/case statement is one way) to detect a unique value (hidden field) to control which form processing code gets executed.
  4. the validation logic needs to store the validation errors in an array, with the array's main index being the field name (this index is used for 'dependent' validation steps to let you test if there is or is not already an error for a field and if you are outputting the error near the form field it applies to.) this array is also an error flag. if the array is empty, there are no errors, if the array is not empty, there are errors.
  5. if there are more than about 2-3 form fields, you should dynamically validate and process the form data, by defining a data structure (array or database table) that contains elements for each field that control what general purpose code does, such as defining 'required' fields, what type of validation rules to apply, and which type of processing code the field is used in.
  6. after the validation logic, if there are no errors, use the submitted data for whatever purpose it is intended for.
  7. after the data has been used, if there are no errors, perform a redirect to the exact same URL of the form processing code to cause a get request for the page.
  8. if there are errors, the code continues and re-displays the form, with any error messages (either all at once or with each one near the field it applies to), and repopulate the (appropriate) fields with the previously submitted data values (applying htmlentities() to help prevent cross site scripting), so that the user doesn't need to keep reentering the same data.
Edited by mac_gyver

Share this post


Link to post
Share on other sites

Macgyver - great post.  But - I don't get the purpose of #7.  When I'm done I simply resend the screen back for another set of input or with the results of the logic process.  Don't understand your  need for a get request.

Share this post


Link to post
Share on other sites

That too is news to me.

Share this post


Link to post
Share on other sites

Never sanitize input, correct? I had asked the folks over at #php@freenode about that and they suggested I not sanitize input data.

Share this post


Link to post
Share on other sites

Never sanitize input data?  Why on earth would you NOT do that?  Hackers can put anything into an input field and your script has to be prepared to handle it or face the consequences.  The rule might be 'never alter input'.  But for sure you have to sanitize it to avoid damage to your database or whatever your script is doing with the data.

Share this post


Link to post
Share on other sites
1 hour ago, ginerjm said:

for sure you have to sanitize it to avoid damage to your database or whatever your script is doing with the data. 

That's what prepared statements are for. Although, you would VALIDATE the data.

Share this post


Link to post
Share on other sites
On 7/29/2019 at 1:41 PM, ginerjm said:

Never sanitize input data?  Why on earth would you NOT do that?  Hackers can put anything into an input field and your script has to be prepared to handle it or face the consequences.  The rule might be 'never alter input'.  But for sure you have to sanitize it to avoid damage to your database or whatever your script is doing with the data.

How would you sanitize input without changing or mangling it?

Share this post


Link to post
Share on other sites

One thing is to verify that the input value has the content that you expect.  Another is to use prepared queries that will remove any threats from using user inputs.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.