When building web applications, it is important to take security seriously, especially when you have to deal with obtaining data from users.

A general security rule is to trust no one, so you can't rely on users to always enter the correct values ​​into forms. For example, instead of entering the correct email address in the field, the user may enter an incorrect address, or even some malicious data.

When it comes to validating user data, it can be done either on the client side (in the web browser) or on the server side.

Previously, client-side validation could only be done using JavaScript. But everything has changed (or almost changed), since with the help of HTML5, validation can be done in the browser, without the need to write complex validation scripts in JavaScript.

Form Validation Using HTML5

HTML5 provides a fairly robust mechanism based on the following tag attributes: type, pattern, and require. With these new attributes, you can offload some of the data validation functionality to the browser.

Let's look at these attributes to understand how they can help with form validation.

type attribute

This attribute tells which input field to display for data processing, for example the familiar field like

Some input fields already provide standard validation methods, without the need to write additional code. For example, it checks a field to ensure that the entered value matches the template of a valid email address. If an incorrect character is entered into a field, the form cannot be submitted until the value is corrected.

Try playing around with the email field values ​​in the demo below.

There are also other standard field types, like , and for validating numbers, URLs and phone numbers, respectively.

Note: Phone number formats vary from country to country due to differences in number of digits in phone numbers and differences in formats. As a result, the specification does not define an algorithm for checking phone numbers, so at the time of writing this feature is poorly supported by browsers.

Luckily for us, phone number validation can be done using the pattern attribute, which takes a regular expression as an argument, which we'll look at next.

pattern attribute

The pattern attribute will likely make many front-end developers jump for joy. This attribute accepts a regular expression (similar to the JavaScript regular expression format) that will be used to check the correctness of the data entered in the field.

Regular expressions are a language used to parse and manipulate text. They are often used for complex find and replace operations, as well as for checking the correctness of entered data.

Today, regular expressions are included in most popular programming languages, as well as in many scripting languages, editors, applications, databases, and command line utilities.

Regular expressions (RegEX) are a powerful, concise, and flexible tool for matching a string of text, such as individual characters, words, or character patterns.

By passing a regular expression as the value of the pattern attribute, you can specify what values ​​are acceptable for a given input field, as well as inform the user about errors.

Let's look at a couple of examples of using regular expressions to validate the value of input fields.

Phone numbers

As mentioned earlier, the tel field type is not fully supported by browsers due to inconsistencies in phone number formats in different countries.

For example, in some countries the format for telephone numbers is xxxx-xxx-xxxx, and the telephone number itself will be something like this: 0803-555-8205.

The regular expression that this pattern matches is: ^\d(4)-\d(3)-\d(4)$ . In code this can be written like this:

Phone Number:

Alphanumeric values ​​Attribute required

This is a Boolean attribute used to indicate that the value of a given field must be filled in in order to submit the form. When you add this attribute to a field, the browser will require the user to fill out this field before submitting the form.

This saves us from implementing field validation using JavaScript, which can save developers some time.

For example: or (for XHTML compatibility)

All the demos you've seen above use the required attribute, so you can try it out by trying to submit the form without filling out any fields.

Conclusion

Browser support for form validation is pretty good, and for older browsers you can use polyfills.

It's worth noting that relying on browser-side validation alone is dangerous, as these checks can be easily bypassed by attackers or bots.

Not all browsers support HTML5, and not all data sent to your script will come from your form. This means that before finally accepting data from the user, it is necessary to check its correctness on the server side.

It is very essential to have the input to your form validated before taking the form submission data for further processing. When there are many fields in the form, the PHP validation script becomes too complex. Moreover, since you are doing the same or similar validation for most of the forms that you make, just too much of duplicate effort is spent on form validations.

About this generic PHP form validation script

This generic PHP form validator script makes it very easy to add validations to your form.

We create and associate a set of “validation descriptors” with each element in the form. The “validation descriptor” is a string specifying the type of validation to be performed. For example, “req” means required, “alpha” means allow only alphabetic characters and so on.

Each field in the form can have zero, one or more validations. For example, the input should not be empty, should be less than 25 chars, should be alpha-numeric, etc

You can associate a set of validation descriptors for each input field in the form.

Download the PHP form validation script

You can download the PHP form validation script below:
The zip file contains the form validation script formvalidator.php, documentation and usage samples.

Using the PHP form validation script

Include formvalidator.php in your form processing script

require_once "formvalidator.php"

Create a FormValidator object and add the form validation descriptors.

$validator = new FormValidator(); $validator->addValidation("Name","req","Please fill in Name"); $validator->addValidation("Email","email", "The input for Email should be a valid email value"); $validator->addValidation("Email","req","Please fill in Email");

The first argument is the name of the input field in the form. The second argument is the validation descriptor that tells the type of the validation required. The third argument is the error message to be displayed if the validation fails.

Validate the form by calling ValidateForm() function

if(!$validator->ValidateForm()) ( echo "Validation Errors:"; $error_hash = $validator->GetErrors(); foreach($error_hash as $inpname => $inp_err) ( echo "

$inpname: $inp_err

\n"; ) ) Example

The example below will make the idea clearer

Name: Email:

Adding Custom Validation

If you want to add a custom validation, which is not provided by the validation descriptors, you can do so. Here are the steps:

Create a class for the custom validation and override the DoValidate() function

class MyValidator extends CustomValidator ( function DoValidate(&$formars,&$error_hash) ( if(stristr($formars["Comments"],"http://")) ( $error_hash["Comments"]="No URLs allowed in comments"; return false; ) return true; ) )

Add the custom validation object

$validator = new FormValidator(); $validator->addValidation("Name","req","Please fill in Name"); $validator->addValidation("Email","email", "The input for Email should be a valid email value"); $validator->addValidation("Email","req","Please fill in Email"); $custom_validator = new MyValidator(); $validator->AddCustomValidator($custom_validator);

The custom validation function will be called automatically after other validations.

Table of Validation Descriptors

Here is the list of all validation descriptors:

Validation Descriptor	Usage
req	The field should not be empty
maxlen=???	checks the length entered data to the maximum. For example, if the maximum size permitted is 25, give the validation descriptor as “maxlen=25”
minlen=???	checks the length of the entered string to the required minimum. example “minlen=5”
alnum	Check the data if it contains any other characters other than alphabetic or numeric characters
alnum_s	Allows only alphabetic, numeric and space characters
num	Check numeric data
alpha	Check alphabetic data.
alpha_s	Check alphabetic data and allow spaces.
email	The field is an email field and verify the validity of the data.
lt=??? lessthan=???	Verify the data to be less than the value passed. Valid only for numeric fields. example: if the value should be less than 1000 give validation description as “lt=1000”
gt=??? greaterthan=???	Verify the data to be greater than the value passed. Valid only for numeric fields. example: if the value should be greater than 10 give validation description as “gt=10”
regexp=???	Check with a regular expression the value should match the regular expression. example: “regexp=^(1.20)$” allow up to 20 alphabetic characters.
dontselect=??	This validation descriptor is for select input items (lists) Normally, the select list boxes will have one item saying ‘Select One’. The user should select an option other than this option. If the value of this option is ‘Select One’, the validation description should be “dontselect=Select One”
dontselectchk	This validation descriptor is for check boxes. The user should not select the check given box. Provide the value of the check box instead of ?? For example, dontselectchk=on
shouldselchk	This validation descriptor is for check boxes. The user should select the given check box. Provide the value of the check box instead of ?? For example, shouldselchk=on
dontselectradio	This validation descriptor is for radio buttons. The user should not select the given radio button. Provide the value of the radio button instead of ?? For example, dontselectradio=NO
selectradio	This validation descriptor is for radio buttons. The user should select the given radio button. Provide the value of the radio button instead of ?? For example, selectradio=yes
selmin=??	Select atleast n number of check boxes from a check box group. For example: selmin=3
selone	Makes a radio group mandatory. The user should select atleast one item from the radio group.
eqelmnt=???	compare two elements in the form and make sure the values ​​are the same For example, ‘password’ and ‘confirm password’. Replace the ??? with the name of the other input element. For example: eqelmnt=confirm_pwd

We will talk about the validation of POST or GET data, although in principle this can also be applied to data received by other methods, such as cookies. As you develop any web application, you need to write an interface for interacting with users and naturally create various forms for users to send data to the server. for example, these could be comments. I think it’s clear and obvious to everyone that the received data needs to be checked to see if it corresponds to the type, size, and specified range. First of all, this is required for the security of the system, website or database, because... Incorrectly transmitted data or a deliberately poorly formed request can open access to an attacker.

Secondly, unverified data, if incorrect, can cause unstable operation of the script, the system or the entire server. Therefore, all data needs to be checked and double-checked; perhaps someone will say that there is no need for excessive paranoia, but I believe that in this matter it simply cannot be excessive.

Do not trust data received from users, under any pretext, under any circumstances. It happens that we are simply too lazy to write code that checks the received data once again, or we hope that the existing verification methods are enough, as a result of which we make concessions to ourselves.

A little digression from the topic:
Working on projects, developing and programming websites, scripts, and other systems takes up almost all of my free time (besides working time), in other words, I do this work for the maximum possible number of hours a day. From time to time there is a need to test something, for fun or just curiosity. As a result, sites made in haste, using homemade engines or CMS of ancient versions, become similar testing laboratory rats. Of course, all of the above suffers from crookedly written code, lack of data control and is simply teeming with various bugs. Actually, in most cases, in an hour of my experiments on such sites, I manage to find several serious vulnerabilities, and most of them lie in insufficient validation of the received data. Recently, this has often been found in scripts that process POST data received from JavaScript + Ajax.

Apparently, the programmers who wrote these scripts using Ajax believe that since all requests occur in the background, without the user’s knowledge or simply without reloading the page, then the data need not be particularly checked.

As a rule, quite a few of these scripts turn out to be so full of holes that without much effort they manage to make a larger hole and flood their shell. of course, solely for the purpose of experimentation and nothing more (the administration of such sites is always informed of existing vulnerabilities).

I think the importance of validation is clear to everyone. For a long time, I wrote the same piece of code each time, then used my own data verification functions, many of which were very primitive and, as a rule, scattered in different parts of (included) files. Soon I began to get acquainted with the PHP frameworks Zend, CI, Kohana, each of which implemented its own class for validating data that I borrowed for my projects. In the end, I decided to tailor one of the CI classes to my needs, but it turned out that the author of one of the programming blogs had already taken care of this. Next, I share his works, namely the modified CodeIgniter library.

Let's look at the following code:

View code PHP

require_once "validator.class.php" ; $validator = new Validator() ; $validator -> set_rules ("name" , "Your name" , array ("required" => , "alpha" => ) ) ; $validator -> set_rules ("email" , "Your email" , array ("required" => "Field %s is required" , "valid_email" => ) ) ; if ($validator -> run () ) ( echo "Validation was successful" ; ) else ( echo $validator -> get_string_errors () ; )

As you can see from the example, in the first line we include the class file validator.calss.php to our script. Next, we create an instance of the class and save the object to a variable $validator.
Then using the method $validator->set_rules($field, $label, $rules) set the fields for validation.

This method takes 3 parameters:

$field- name of the validation field (the value of the name attribute in the tag)

$label- name of the validation field, will be inserted into error messages

$rules- an array of validation rules, in which the validation rule is used as the key, and the error message for this rule is used as the value

After all the fields for validation are set, we launch the validator using the method $validator->run(). If validation was successful, this method will return the value TRUE, otherwise, if there are any errors, it will return FALSE.

There are three methods to receive error messages:

get_string_errors()- returns all error messages as a string

get_array_errors()— returns all messages as an array, where the field name is used as the key, and the error description for this field is used as the value.

form_error($field)- returns an error message for the field passed as the $field parameter

By default, error messages are wrapped in a tag . To set your design, use the method set_error_delimiters($prefix, $suffix). For example like this:

Error messages will now appear as div with class "error"

As you can see, everything is very simple.

View code PHP

$validator -> set_error_delimiters ( " " , " " ) ;

To set validation rules, you can use the method set_rules($fields) pass a multidimensional associative array. Let's look at an example:

View code PHP

$rules = array ( array ( "field" => "name" , "label" => "Your name" , "rules" => array ( "required" => "Field %s is required" , "alpha" => "Field %s must contain only letters" ) , array ( "field" => "email" , "label" => "Your email" , "rules" => array ( "required" => "Field % s is required" , "valid_email" => "Field %s must contain a valid email address" ) ) ) ; $validator -> set_rules ($rules ) ;

As you can see, I wrote down the same validation rules as in the first example, only in the form of a multidimensional associative array. You can use any of the methods that suit you best in a given situation.

So, what validation rules does this class support?

I brought to this class the most common validation rules that everyone encounters. Here is a complete list of these rules:

required	Returns FALSE if the field is empty
integer	Returns FALSE if the value is not an integer
float	Returns FALSE if the value is not a numeric value
valid_url	Returns FALSE if value is not a valid URL
valid_email	Returns FALSE if value is not a valid email address
valid_ip	Returns FALSE if the IP address is not valid
matches	Returns FALSE if the element does not match the value of another field element
alpha	Returns FALSE if the element contains more than just letters
valid_captcha	Returns FALSE if the value in the session field is not equal to the value of the form field
valid_date	Returns FALSE if the element contains an invalid date

Most of these rules use filters, which became available in PHP 5.

If you wish, you can always expand the set of rules for validation by adding the necessary functions to the Validator class.

To get the processed POST data value, use the following method:

View code PHP

Typically, this method is called to clear the form upon successful processing of the form.

Good evening everyone (more like night - editor's note). Today we will improve that one a little. First, let's learn how to do form validation in PHP and do some security manipulations.

So, look at the code below and note the following changes and the following reasons for the changes. I highlighted all new lines with color.

The name of the form fields has been changed. You may ask – why the hell do we need this? It’s simple, I’ll answer you. As far as I know, some spam bots scour sites looking for forms and fill them out based on the names of these fields. In theory, if they don’t find a match, then they go home, which is what we want. Of course, I don’t think the degree of this protection is particularly great, but it won’t hurt us, and if spam emails decrease by 1 letter, that will be good =).

Checking whether the email address is entered correctly. Line 17 uses the elseif operator, which will be checked if if returned a positive answer to us, that is, it said that the email address was missing at all, that is, it was not entered. Here we use the preg_match function, which allows us to compare the entered address with regular expression. Perhaps I’ll write briefly about regular expressions later, but for now it’s worth knowing that a regular expression creates a kind of template against which our string is checked. And if, in our case, the entered address does not match the expression, then again an error will be displayed. For example, here are a couple more regular expressions:
|^[-а-яе\s\.,;:\?!]+$|i– this regular expression allows you to use only the Russian alphabet and some characters such as space, period, comma, etc.
#http://[-a-z0-9_.]+[-a-z0-9_:@&?=+,.!/~*’%$]*\.(html?|php)#i– and this expression allows you to check the correct spelling of an address on the Internet.

Next, we use the else operator, where all our code for sending a letter has already been transferred. You can create verification rules yourself in any quantity, just add new ones if, such as for checking an email address, and you will be happy.

The contact person:

Contact Email:

Message:

This is how you can validate your PHP forms without resorting to anything extraneous. Next time in a post on the topic of forms, I think, validation of forms in jQuery will be considered. In the meantime, I'm waiting for your comments and wishes. Good night and happy morning everyone =).

This and the next chapters show how to use PHP to validate form data.

PHP Form Validation

Think SECURITY when processing PHP forms!

These pages will show how to process PHP forms with security in mind. Proper validation of form data is important to protect your form from hackers and spammers!

The HTML form we will be working at in these chapters, contains various input fields: required and optional text fields, radio buttons, and a submit button:

The validation rules for the form above are as follows:

Field Validation Rules

Name	Required. + Must only contain letters and whitespace
Email	Required. + Must contain a valid email address (with @ and .)
Website	Optional. If present, it must contain a valid URL
Comment	Optional. Multi-line input field (textarea)
Gender	Required. Must select one

First we will look at the plain HTML code for the form:

Text Fields

The name, email, and website fields are text input elements, and the comment field is a textarea. The HTML code looks like this:

Name:
Email:
Website:
Comment:

Radio Buttons

The gender fields are radio buttons and the HTML code looks like this:

Gender:
Female
Male
Other

The Form Element

The HTML code of the form looks like this: