form validation in php [closed]

Answer 1

the method I like to use is this (this is in the context of an MVC application)

1. Form in a View is set to POST back to own URL.
2. When the controller receives a POST request, validation is performed. If errors aren't found, the relevant action is taken, and then a HTTP redirect is sent back to the browser to send them to correct "success" page.
3. If validation fails, the original form is displayed, and each field displays the entered data. Invalid fields show error messages.

Answer 2

Assuming you have a form with a submit button named "submit" and a input field named "yourname", you could do something like this. All of this code would be in the same file.

<?php
//Form submitted
if(isset($_POST['submit'])) {
  if(!isset($_POST['yourname'])) {
    //Form field 'yourname' didn't have a value
    $error['yourname'] = "<p>Please provide your name.</p>\n";
  } else {
    //Field 'yourname' had a value, check other things
    //Your other checks here (optional)
  }

  //No errors, process form
  if(!is_array($error)) {
    //Process your form

    //Done processing
    echo "<p>Information saved.</p>";
    exit;
  }
}
?>
<form method="post" action="<?=$_SERVER['PHP_SELF']?>">
  <?=$error['yourname']?>
  <p><label for="yourname">Name:</label><input type="text" id="yourname" name="yourname" value="<?=htmlspecialchars($_POST['yourname'])?>" /></p>
  <p><input type="submit" name="submit" value="Submit" />
</form>

Answer 3

This depends on how tight you want the validation to be.

The sintaxis is pretty straight fordward:

$var = function_that_cleans_any_input($_POST['input_name']);

Usually validating functions return false if it is a bad input so if the field is required you can use a condition like:

if(!$var){
     die("The input is not valid");
} 

For security matters you should ALWAYS scape strings that come from the user before inserting them into the database, this you can do with mysql_real_scape_string which prevents an attack called mysql injection that is very common and very dangerous.

If you know the field you are validating has a specific format i suggest you validate against that, for instance mail or a url, there is a filter function that is pretty easy to use and can help you with that.

If the input is an int, piece of cake, use typecasting $validated = (int)$input; and that will do it, but if it's a date you an you the native checkdate function from php.

As you can see there is always a function that can save the day, if you are having trouble validating something be sure to investigate it throughly and if you don't find it make your own validating functions.

Here is a link that might help:http://hungred.com/useful-information/php-form-validation-snippets/