PHP form > PHP forms tutorial > Validating forms with PHP

Validating forms with PHP

So, how do you validate form data? The very least you should do is pass all variables through PHP's htmlspecialchars() function. This function will replace HTML chars like < and > to their HTML version &lt; and &gt;. Let's rewrite the previous example:

<?php
$yourname = htmlspecialchars($_POST['yourname']);
$email    = htmlspecialchars($_POST['email']);
$likeit   = htmlspecialchars($_POST['likeit']);
$comments = htmlspecialchars($_POST['comments']);
?>

<html>
<body>

Your name is: <?php echo $yourname; ?><br />
Your e-mail: <?php echo $email; ?><br />
<br />

Do you like this website? <?php echo $likeit; ?><br />
<br />

Comments:<br />
<?php echo $comments; ?>

</body>
</html>

This is much safer now and prevents possible attackers from exploiting our code by injecting HTML or Javascript code. Now if someone submitted the same code as before...

<script>location.href('http://www.SPAM.com')</script>

... this would not be executed anymore, because it would be saved as HTML escaped code rather than valid HTML code:

<script>location.href('http://www.SPAM.com')</script>

Such code can now do no harm and is safe to be displayed on a page or inside an e-mail. Sure, it may not look nice and tell you someone has been trying to mess with your script, but the important thing is he/she had failed!

» What else to check?

If you know exactly what kind of data to expect you can make further steps to ensure the user has entered what you want. We will cover a few samples like validating e-mail address and URLs later.

Let's do two more things:
1. strip unnecessary characters from the data.
2. if quotes are escaped with a slash \ let's remove that.

Instead of writing the same code over and over again we can create a function that will do all the checking for us. Here we will name it check_input and simply call this function whenever we need to validate simple input data:

<?php
$yourname = check_input($_POST['yourname']);
$email    = check_input($_POST['email']);
$likeit   = check_input($_POST['likeit']);
$comments = check_input($_POST['comments']);
?>

<html>
<body>

Your name is: <?php echo $yourname; ?><br />
Your e-mail: <?php echo $email; ?><br />
<br />

Do you like this website? <?php echo $likeit; ?><br />
<br />

Comments:<br />
<?php echo $comments; ?>

</body>
</html>

<?php
function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
?>

Note the check_input function at the bottom. What it does is takes the data passed to the function, strips unwanted characters (extra space, tab, newline) from the beginning and end of the data using the PHP trim() function, strips any quotes escaped with slashes and passes it through htmlspecialchars().

So now instead of typing the same code for each of our input fields we simply check each $_POST variable with the check_input function and that's it.

» Copyright notice

© 2008-2025 myPHPform.com. All rights reserved. Copying or redistributing any part of this website without our written permission is expressly forbidden!