PHP Form Validation

In any web application server side form validation is very important part. PHP provides very nice built in functions for form validation.

HTML Form with Validation

Below example form contains 4 fields i.e textbox for name, radio button for gender, email box for email address and select box for degree selection. this example both html5 and php validation which will be discussed in below sections.

<!doctype html>
<html>
	<head>
		<title>HTML5 Form With Server Side Validation</title>
	</head>
	<body>
		<?php
			//Variables for error Messages
			$errName=$errEmail=$errDegree="";
			
			//take the form data
			if(isset($_POST['submit'])){
				
				//declare variables for from controls data
				$name=$gender=$email=$degree="";
				
				//Clear the Form data from injections/attacks
				$name=check_input($_POST['txtName']);
				$gender=check_input($_POST['rdGender']);
				$email=check_input($_POST['txtEmail']);
				$degree=check_input($_POST['slDegree']);
				
				//validate the data
				if(empty($name) || !preg_match("/^[a-zA-Z ]*$/",$name)){
					$errName="Please Enter the Name";
				}
				if(!empty($email) && !filter_var($email, FILTER_VALIDATE_EMAIL)){ //if email is not empty then validate the email
						$errEmail="Please Enter Valid Email";
				}
			
				if($degree=="--select--"){
					
					$errDegree="Please Select the Degree";
				}
			}
			
			function check_input($value){
				$value=trim($value); //remove the unwanted spaces
				$value=stripslashes($value); //remove the slashes
				$value=htmlspecialchars($value); //convert tags into special character format like from  < tag to < 
				return $value;
			}
		?>
		<h1>Student Form</h1>
		<form  action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']) ?>" method="post" enctype="multipart/form-data">
			Name*:<input type="text" name="txtName" required maxlength="15" />
			<p style="color:red"><?php echo $errName;?></p>
			Gender*:<input type="radio" value="Male" name="rdGender" checked /> Male
				    <input type="radio" value="FeMale" name="rdGender" /> Female
			<br /><br />
			Email:<input type="email" name="txtEmail" />
			<p style="color:red"><?php echo $errEmail;?></p>
			Degree:<select name="slDegree">
						<option value="--select--">----Select----</option>
						<option value="BSIT">BSIT</option>
						<option value="BSCS">BSCS</option>
						<option value="MIT">MIT</option>
						<option value="MS">MS.IT/CS</option>
						<option value="PHD">PHD</option>
					</select>
			<p style="color:red"><?php echo $errDegree;?></p>
			<input type="submit" value="Send" name="submit" />
		</form>
	</body>
</html>

HTML5 Validation Features

First thing HTML5 Provide new parameters for input field like email, url, number and etc. and their is required attribute for input tag which will autmatically check whether field is empty or filled by data.

		Name*:<input type="text" name="txtName" required maxlength="15" />
		Email:<input type="email" name="txtEmail" />

PHP_SELF for Forms

Mostly we need to submit our form data to same page by which we are submitting the data. so php provides comprehensive way to submit data to same page. php global variable $_SERVER[‘PHP_SELF’] provides it’s filename.

	<?php 
		//htmlspecialchars functions convert the tags into html special character codes to pervent the attacks/injections.
		echo htmlspecialchars($_SERVER['PHP_SELF'])
	?>

Clearing the $_POST/$_GET Data

Server don’t know either a ordinary user is sending a data or a hacker is trying to hack a site. so there are plenty of functions that is used to clear the $_POST/$_GET Data before processing them. so below user-defined function is a combination of different built-in functions which will take the form component value and clear it from unnecessary things and return a clean value.

	<?php
		function check_input($value){
			$value=trim($value); //remove the unwanted spaces
			$value=stripslashes($value); //remove the slashes
			//convert tags into special character format like from  < tag to 
			
			$value=htmlspecialchars($value); 
			return $value;
		}
	?>

Preg_match Function

preg_match is a PHP built-in function which is used to match a data according to regular expression. in this example we using preg_match to identify the name as name just contains alphabets not numbers or special characters.

<?php
	// "/^[a-zA-Z ]*$/" this reular expression state that only lower and upper case alphabets are allowed.
	preg_match("/^[a-zA-Z ]*$/",$name)
?>

filter_var Function

filter_var contains different attributes to filter different things. but in this example this function is used to verify the email pattern.

	<?php
		//Email Validation by filter_var function with FILTER_VALIDATE_EMAIL attribute
		filter_var($email, FILTER_VALIDATE_EMAIL)
	?>