Have you ever wondered how much PHP form validation goes into developing a web form?
PHP Form Validation code is a set of validation rules that allows you to create server-side validation to the PHP forms quickly with little efforts. Form validation is really crucial for dynamic web pages.
A volume of all the leading websites today are running on PHP. As the websites are no longer narrowed to being informational gateways and become business tools, you should go beyond standard functionalities while designing web pages. Next to the visitors and the user experience of your website, a web form validation demands more dedication as it indirectly creates a cordial relation with prospective clients. However, many of us ignore this fact. The result is complex and frustrating web forms that conceive a negative experience, malicious database manipulation, and system crash.
Thankfully, PHP form validation is not rocket science. PHP includes tons of great libraries and built-in validations. It is just a heap of the check using a generic PHP form validation script.
Generic PHP Form Validation script is meant to simplify the action of adding validation to your PHP forms. The only thing you need to do is associate the validation requirement of each element of your form with the available set of “validation descriptors”. The “validation descriptor” is the string stating the kind of validation to be executed. For instance, “alpha” specifies allow only alphabetic characters, and “num” meant to check numeric data. The table below lists the common generic PHP form validation descriptors:
|
Validation Descriptors |
Description |
|
req |
The field is mandatory |
|
num |
Checks numeric data |
|
alnum |
The field should include only alphabetic or numeric character |
|
|
Verify for valid email ID |
|
alpha |
Check alphabetic data |
|
lt=??? |
Verify the input to be less than the value passed |
|
gt=??? |
Verify the input to be greater than the value passed |
|
maxlen=??? |
Verify the length of input to the maximum |
|
minlen=??? |
Verify the length of input to the required minimum |
The main goal of PHP Form Validation code is to make sure the user has provided all the necessary details and in the proper format in order to successfully proceed with the requested operation. The PHP code validates the values entered by a user into the form and if it does not match the criteria specified, they’re returned back to the form with the list of offending fields along with error messages. Invalid user input can cause unexpected errors in future processing. As such, PHP includes countless inbuilt validation functions to check user inputs. Here are some of the inbuilt PHP form validation functions:
|
Filters for validation |
Description |
|
FITER_VALIDATE_DOMAIN |
Validates the domain name label lengths |
|
FILTER_VALIDATE_EMAIL |
Validates the e-mail address |
|
FILTER_VALIDATE_FLOAT |
Validates data as float, & translates to float on success. |
|
FILTER_VALIDATE_INT |
Validates data as integer, & translates to integer on success. |
|
FILTER_VALIDATE_IP |
Validates data as IP address |
|
FILTER_VALIDATE_MAC |
Validates data as MAC address |
|
FILTER_VALIDATE_REGEXP |
Validates data against regexp |
|
FILTER_VALIDATE_URL |
Validates data as URL |
Let us take an example to construct & validate a Form using PHP and HTML. We will create a simple form using HTML and process as well as validate the content of the form with PHP form validation functions. Before constructing an HTML form, we should decide which HTTP method to use in the HTTP request. Among the multitude of HTTP request methods, programmers generally prefer to use GET and POST methods for forms. Since we are about to send sensitive data like emails with an HTTP request, we are proceeding with POST. GET method can be used when we want to retrieve data from the server. The example below illustrates the HTML script for a simple form:
Let’s explore how an error can occur. Assume that the user has missed out any of the fields in the Form above. The PHP code validates whether all the variables are set using the empty () function. This function is meant to check whether the given arguments are empty or not. Here is the description of the function:
|
Empty () function |
|
|
Syntax
|
empty ( $var ) |
|
Values reflect as an empty value:
|
NULL FALSE 0 - 0 as an integer "0" - 0 as a string 0.0 - 0 as a float "" - an empty string array() - an empty array |
If email, name, phone or gender variable is not set, PHP script will raise an error “----- field is required”. If the first validation fails, then the script stops running the subsequent validation rules.
When the empty ($_POST[$key] && in_array($key, $validateArray)) is not empty, the PHP script proceeds with the further validation.
Next, we have validated the email with filter-var () function & FILTER_VALIDATE_EMAIL flag. If the email is invalid, the validation script returns false.
The last PHP Form validation in the above script is phone number validation. The script is validated with filter-var () and FILTER_VALIDATE_INT flag. This method can validate any integer key (like groupId, userId, etc.) in the timestamp, database, etc. The main advantage of this function is that it converts string numbers “15” for example to actual integers 15.
Since we have stored the error messages in session, any validation error occurs in the ation.php page will redirect the page back to the form page.
The PHP script in the form page echoes the session message as shown below and displays the error message to the user:
Most people think that both form validation and form security check are the same. However, form security is a separate process that should be handled along with PHP form validation. In addition, Form security check should be added to form validation to prevent web pages from malicious exploits. Improper validation of user input can increase the risk of security vulnerabilities. Attackers can take this opportunity and target your web page with the following attacks:
Let’s take a deep look at XSS attack and how to prevent it with PHP form validation and security check. According to our above Form page, when the user enters the name, it will be saved in the database without any validation. Imagine an attacker enters the following script in the name field:
|
<script>location.href='https://www.xyz.com'</script> |
As a result, the malicious script gets stored in the database and the webpage displays the script as the name. Then, every user who visits the webpage will be redirected to the attacker’s site. This is how the hackers accomplish the Cross-site scripting attack (XSS):
With PHP, it is pretty simple to defend our web pagefrom XSS attack. Here is an example:
|
Input Processing Before Validation |
|
<script>location.href='https://www.xyz.com'</script> |
|
Input processing After validation |
|
<script>location.href='https://www.xyz.com'</script> |
In addition, the trim () removes the extra spaces; hence, the extra spaces in the input won’t occupy space in the database.
PHP form validations are tiny steps that can support the user to fill out the form easily and as fast as possible. In addition, they allow the necessary validation of user input without submitting anything to the database. When a user fills out a form, if it is unclear what he is doing wrong and there is no message to guide him, then he will more likely to give up and stroll away to another web site. Running validation on the form data while it is entered means user can be accurate and confident about his entry and this avoids unwanted frustrations.