Form Validation woes

[stormflurry]

Hi All,

I'm building a custom validator and here's the issue that i'm running into. PHP does not collect unset varaibles names for checkboxes or radio buttons into the $_POST array.

so when I do this

(foreach $_POST as $key => $value) {

etc

}

I cannot easily check to see if the varaible is empty

so the line that I'm working along is creating a hidden variable in the form that does this

<input type="hidden" name="checkme" value="checkbox/radiobutton field_name that needs to be check">

my validation code looks something like this


//each varialbe name gets exploded and validated based on the trailing characters
if ($check[1] == 3) {
//set the name of the field that I need to look for
$temp = $value;


//check to see if the variable is set and then if not push that back through the header
if ($$temp != "on") {

$count++;

$error_string .= 'Error_'.$value.'=on&';


}

}

here's my issue this works but I need to change $$temp into something that looks like this $_POST[$$temp] but this doesn't work I need some help to be able to set $_POST['x'] x on the fly to whatever I want...

I've tried a bunch of different things at this point and needs some help.

Thanks

Matt

[stormflurry]

Any help anybodY?

[craygo]

What are you looking to do exactly. You can use java to make sure fields are filled in before the form is even submitted. Then there would not be a need to do a check with php after.

If you want to do this I can give you what you need. I have alot of samples to check on form fields.

Ray

[stormflurry]

[!--quoteo(post=359656:date=Mar 29 2006, 09:03 AM:name=craygo)--][div class=\'quotetop\']QUOTE(craygo @ Mar 29 2006, 09:03 AM) [snapback]359656[/snapback][/div][div class=\'quotemain\'][!--quotec--]
What are you looking to do exactly. You can use java to make sure fields are filled in before the form is even submitted. Then there would not be a need to do a check with php after.

If you want to do this I can give you what you need. I have alot of samples to check on form fields.

Ray
[/quote]
Ray that would be appreciated I haven't implemented any pre postback validation yet but this side of the script i mainly to protect my DB from junk and make sure that the customer doesn't throw of any SQL errors...

[craygo]

If you post the form part of your script I can write in the java for you. You can go as far as checking patterns or numbers only or letters only, or just make sure there are no blank fields. Let me know what fields you want to check and what to check for and I will do what I can.

Ray

[kenrbnsn]

Why don't you create a hidden field for each of the fields that potentionally won't be passed back with a default value. Name this field the same as the real field. This way your script will get a value no matter what the user does and you don't have to jump through hoops to do your validation.

To the poster [b]craygo[/b] who keep saying to use Java, I believe you are refering to Javascript, not Java. They are two different languages. Please spell out Javascript when you mean Javascript and don't abbreviate it to Java.

Ken

[stormflurry]

[!--quoteo(post=359705:date=Mar 29 2006, 11:43 AM:name=kenrbnsn)--][div class=\'quotetop\']QUOTE(kenrbnsn @ Mar 29 2006, 11:43 AM) [snapback]359705[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Why don't you create a hidden field for each of the fields that potentionally won't be passed back with a default value. Name this field the same as the real field. This way your script will get a value no matter what the user does and you don't have to jump through hoops to do your validation.

To the poster [b]craygo[/b] who keep saying to use Java, I believe you are refering to Javascript, not Java. They are two different languages. Please spell out Javascript when you mean Javascript and don't abbreviate it to Java.

Ken
[/quote]

Hey Ken,

I've actually experimented with that and here's the example

let's say this is part of my form
<input type="checkbox" name="field1">
<input type="hidden" name="field1" value="off">

Let's say that I want the checkbox to be checked in my POST array I now have field1=off&field1=on

while I'm looping through my validator for each varaible I'll run into an issue it'll perform two separate actions

foreach($_POST as $key => $value)
{
if ($field1 == "off") {
Send Error }
elsif($field1 == "on") {
no error
}

so my validator will kick an error no matter what I want to have happen...at least I haven't found a way around that little quandy at this point. I keep coming up with new solutions or ideas on how to do this and I get to a point where PHP just won't allow me to do what I need to do. It's frustrating.

Javascript is nice but I need to have a bullet proof postback method that uses neither javascript or ajax...

[kenrbnsn]

Put the hidden field before the real field:
[code]
<input type="hidden" name="field1" value="off">
<input type="checkbox" name="field1">
[/code]

If you look at the $_POST array after receiving this data "field1=off&field1=on", you should only see one "field1", not two.

Ken

[gavinandresen]

Do you care if hackers can influence your form validation?

If you do (and you probably should), then you can't put any information about what should be validate or how it should be validated in your forms (because it's really easy to change hidden fields-- e.g. grab the FireFox Web Developer extension and it lets you see and edit the hidden fields before submission).

You should probably turn it around, and define what fields need to get validated in your PHP code:

$needValidation = array('foo', 'bar', ... etc);

foreach ($needValidation AS $field) {
if (!isset($_POST[$field])) or empty($_POST[$field])) ... error....
}

I handle form validation something like this:

[code]
$validationData['siteName'] = array('isRequired', 'type' => 'text');
$validationData['isLive'] = array('isRequired', 'type' => 'number');
$validationData['rootDirectory'] = array('isRequired', 'type' => 'text');
$validationData['defaultTemplate'] = array('isRequired', 'type' => 'text');
$validationData['siteFooter'] = array('isRequired', 'type' => 'text');
$validationData['provdist'] = array('isRequired');
if (isset($post['submit'])) {
  $formErrors = validateForm($post, $validationData);
  if (!preg_match('/^\w*$/', $post['rootDirectory'])) {
    $formErrors['rootDirectory'] = "Invalid Location";
  }
  if (count($formErrors) == 0) {
    // Normally there would be code here to process the form
    // and redirect to a thank you page...
  }
}
else {
  $formErrors = array();
}

echo fillInFormValues($html, $post, $formErrors);
[/code]

(try out the form at [a href=\"http://www.skypaint.com/gavin/code/longExample.php\" target=\"_blank\"]http://www.skypaint.com/gavin/code/longExample.php[/a] )

[Guest footballkid4]

I'd simply do something like this:
[code]<?php
$error = FALSE;
$required = array( 'checkboxname' , 'inputname' );
foreach ( $required as $require )
{
    if ( ! isset( $_POST[ $require ] ) || ( empty( $_POST[ $require ] ) ) ) {
        $error = TRUE;
        break;
    }
}
if ( $error ) {
//something was left out
}
?>[/code]

[stormflurry]

[!--quoteo(post=359856:date=Mar 29 2006, 07:24 PM:name=gavinandresen)--][div class=\'quotetop\']QUOTE(gavinandresen @ Mar 29 2006, 07:24 PM) [snapback]359856[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Do you care if hackers can influence your form validation?

If you do (and you probably should), then you can't put any information about what should be validate or how it should be validated in your forms (because it's really easy to change hidden fields-- e.g. grab the FireFox Web Developer extension and it lets you see and edit the hidden fields before submission).

You should probably turn it around, and define what fields need to get validated in your PHP code:

$needValidation = array('foo', 'bar', ... etc);

foreach ($needValidation AS $field) {
if (!isset($_POST[$field])) or empty($_POST[$field])) ... error....
}

I handle form validation something like this:

[code]
$validationData['siteName'] = array('isRequired', 'type' => 'text');
$validationData['isLive'] = array('isRequired', 'type' => 'number');
$validationData['rootDirectory'] = array('isRequired', 'type' => 'text');
$validationData['defaultTemplate'] = array('isRequired', 'type' => 'text');
$validationData['siteFooter'] = array('isRequired', 'type' => 'text');
$validationData['provdist'] = array('isRequired');
if (isset($post['submit'])) {
  $formErrors = validateForm($post, $validationData);
  if (!preg_match('/^\w*$/', $post['rootDirectory'])) {
    $formErrors['rootDirectory'] = "Invalid Location";
  }
  if (count($formErrors) == 0) {
    // Normally there would be code here to process the form
    // and redirect to a thank you page...
  }
}
else {
  $formErrors = array();
}

echo fillInFormValues($html, $post, $formErrors);
[/code]

(try out the form at [a href=\"http://www.skypaint.com/gavin/code/longExample.php\" target=\"_blank\"]http://www.skypaint.com/gavin/code/longExample.php[/a] )
[/quote]

This is a good suggestion and I do do script side validation for my purposes. The main purpose of this class validator i'm building is to allow my users to create forms and database tables on the fly. Basically I want them to have to build the form using the form builder and select which fields need which type of validation before it get's inserted into the database. I guess theoretically I could build custom script side validatorion for each form by creating another include...I don't know it's an option but it seems like there should be something cleaner.

I'm aware of the hacker problem. I do it myself in certain situations. This validator would not be used in any place where data integrity is a 100% priority. That would all be built right in to the script.

[craygo]

JAVASCRIPT, make sure i use correct term, would probably be the simple and easy way to validate the form. No need to submit it checks will be done right away.

Ray

[Guest footballkid4]

[!--quoteo(post=359906:date=Mar 29 2006, 08:47 PM:name=craygo)--][div class=\'quotetop\']QUOTE(craygo @ Mar 29 2006, 08:47 PM) [snapback]359906[/snapback][/div][div class=\'quotemain\'][!--quotec--]
JAVASCRIPT, make sure i use correct term, would probably be the simple and easy way to validate the form. No need to submit it checks will be done right away.

Ray
[/quote]
JavaScript can be easily disabled on most browsers, and on those it cannot be disabled on, if PHP does no error checking the user can copy and paste the HTML output on the form, copy it to their machine, save the page, remove the JavaScript, run the script and submit it directly to the site. PHP does no checking to see where the form came from or that it's valid...and the user got right in.

BTW: Another common problem...Many people use: <input type="button" ... onclick="checkform()" />
Simple way to get around that validation is to type this in your address bar:
- javascript:document.forms[0].submit();