Ashley Sheridan​.co.uk

Form Validation

Posted on

Form validation is one of the most under-rated and at the same time most important parts of a web application. It might seem good at first to check for simple things like checking to see if an email address has an @ sign, or that a name field has more than 1 character, the truth is that without sanitising your inputs, you're leaving your whole website vulnerable to attack. Take a contact form as an example. Did you realise how easy it is for a spammer to turn this into their own personal email server! There is a good article on the spam injection technique on the Wordpress website, which shows how easy it is to be caught with your trousers round your ankles.

For this reason, I've created a function in PHP which validates form fields with regular expressions, which, thus far, have worked out pretty well for me. I'll not include the whole code here, I'll just talk about how to use it. You can find the code in the validation.tar.gz or validation.zip archive depending on which type you can open.

The function itself has 5 arguments, and each one is explained briefly in the table below:

ArgumentRequiredTypeDescription
$fieldYesStringThis is the string value to validate.
$typeYesStringThe type of field that this should be validated as, i.e. email, number, etc. The table below this one explains the types.
$fieldLabelYesStringA human readable label for the field, to be used in error messages.
&$errorArrayYesArrayAn array for the function to store error messages. The & symbol in the function means the array is passed by reference, but when you use the function, you do not need the & character.
$requiredNoBooleanWhether this field is required or not. By default, all fields are required, so if you do not need it, call the function with an extra false argument.

The types of field the function can validate are as follows:

TypeValidates
textAllows only letters and spaces
numberAllows only numbers and spaces
alphanumAllows letters, numbers and spaces
dateDates in the form dd/mm/yyyy
urlValid URLs
emailEmail addresses
postcodePostcodes in the standard UK format
fulltextAnything except a \ (backslash) or % as these can be used for injection attacks

The following example shows how the function can be used:

$email = $_REQUEST['email']; $forename = $_REQUEST['forename']; $surname = $_REQUEST['surname']; $message = $_REQUEST['message']; $errors = Array(); validateField($email, 'email', 'Email Address', $errors); validateField($forename, 'text', 'Forename', $errors, false); validateField($surname, 'text', 'Surname', $errors, false); validateField($message, 'fulltext', 'Your Message', $errors); if(count($errors) > 0) { // handle the errors, and do not process the form any more } else { // error free - process the form data }

Lines 1-4 aren't necessary, you could just use the $_REQUEST['variable'] in the call to the validateField() function, but I like to keep things neat. Line 5 is essential, as it is used to store any errors that may occur during the validation process. If there are any errors, the array will not be empty, hence the check on line 12. Iterating this array will indicate every field there was a problem with, and what the problem was.

You'll notice in the above calls to validateField that I've shown how to use the extra argument to indicate that the forename and surname aren't required. If the function finds these empty, it will not return an error, but if the field does contain something, it will attempt to validate it against the specified type, inserting an error into the $errors array.

I hope this will be as useful to you as it has been for me. As you can see, it is quite flexible, and can be applied to pretty much any project.