Validating PHP formsHow to validate HTML forms with PHP
PHP form
 Home   Forms tutorial   How to articles   Link to us   Links   Donations   Contact 

PHP form > PHP forms tutorial > Validating forms with PHP

<< PHP forms tutorial Required and optional fields >>

Validating forms with PHP

So, how do you validate form data? The very least you should do is pass all variables through PHP's htmlspecialchars() function. This function will replace HTML chars like < and > to their HTML version &lt; and &gt;. Let's rewrite the previous example:

<?php
$yourname = htmlspecialchars($_POST['yourname']);
$email    = htmlspecialchars($_POST['email']);
$likeit   = htmlspecialchars($_POST['likeit']);
$comments = htmlspecialchars($_POST['comments']);
?>
<html>
<body>
Your name is: <?php echo $yourname; ?><br />
Your e-mail: <?php echo $email; ?><br />
<br />
Do you like this website? <?php echo $likeit; ?><br />
<br />
Comments:<br />
<?php echo $comments; ?>
</body>
</html>

This is much safer now and prevents possible attackers from exploiting our code by injecting HTML or Javascript code. Now if someone submitted the same code as before...

<script>location.href('http://www.SPAM.com')</script>

... this would not be executed anymore, because it would be saved as HTML escaped code rather than valid HTML code:

&lt;script&gt;location.href('http://www.SPAM.com')&lt;/script&gt;

Such code can now do no harm and is safe to be displayed on a page or inside an e-mail. Sure, it may not look nice and tell you someone has been trying to mess with your script, but the important thing is he/she had failed!


» What else to check?

If you know exactly what kind of data to expect you can make further steps to ensure the user has entered what you want. We will cover a few samples like validating e-mail address and URLs later.

Let's do two more things:
1. strip unnecessary characters from the data.
2. if quotes are escaped with a slash \ let's remove that.

Instead of writing the same code over and over again we can create a function that will do all the checking for us. Here we will name it check_input and simply call this function whenever we need to validate simple input data:

<?php
$yourname = check_input($_POST['yourname']);
$email    = check_input($_POST['email']);
$likeit   = check_input($_POST['likeit']);
$comments = check_input($_POST['comments']);
?>
<html>
<body>
Your name is: <?php echo $yourname; ?><br />
Your e-mail: <?php echo $email; ?><br />
<br />
Do you like this website? <?php echo $likeit; ?><br />
<br />
Comments:<br />
<?php echo $comments; ?>
</body>
</html>

<?php
function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
?>

Note the check_input function at the bottom. What it does is takes the data passed to the function, strips unwanted characters (extra space, tab, newline) from the beginning and end of the data using the PHP trim() function, strips any quotes escaped with slashes and passes it through htmlspecialchars().

So now instead of typing the same code for each of our input fields we simply check each $_POST variable with the check_input function and that's it.

 

<< PHP forms tutorial Required and optional fields >>

Jump to:  
  1.1 PHP forms tutorial
  1.2 Validating forms with PHP
  1.3 Required and optional fields
  1.4 Validating URL and E-mail
  1.5 Form to mail
  1.6 Putting it all together
  1.7 Final words and further reading



» Copyright notice

© 2008-2014 myPHPform.com. All rights reserved. Copying or redistributing any part of this website without our written permission is expressly forbidden!

Page copy protected against web site content infringement by Copyscape

 




Help myPHPform by Donating!

  Home  Forms tutorial  How to articles  Link to us  Links  Donations  Contact  
 
© Copyright PHP form 2008-2014. All rights reserved.
All trademarks are property of their respective owners.
Privacy policy
 
Valid XHTML 1.0 Transitional   Valid CSS!