PHP form validation

HTML Form Validation

When the form is used to collect customer input information, do not take it for granted that the customer will input the required content as expected. Customer input must be strictly checked at all times.

Client-side verification

Client-side form verification is generally a verification method based on Javascript scripts. This verification method can effectively reduce the burden on the server and can also instantly remind customers of input errors.

Server-side verification

In some cases, in addition to client-side verification, server-side verification may also be required (such as accessing the database). At this time, logical verification needs to be done in the PHP program.

We need to consider security when processing PHP forms.

In this chapter we will demonstrate the secure processing of PHP form data. In order to prevent hackers and spam, we need to perform data security verification on the form.

The HTML form introduced in this chapter contains the following input fields: required and optional text fields, radio buttons, and submit buttons:

View Code »

The above form validation rules are as follows:

FieldsValidation rules

#Name + Can only contain letters and spaces

E-mail + Must be a valid email address (contains '@' and '.')

URL Required. If present, it must contain a valid URL. Multi-line input field (text field)

Gender You must choose one

First let us look at the pure HTML form code:

Text field

The "Name", "E-mail", and "Website" fields are text input elements, and the "Remarks" field is a textarea. The HTML code is as follows:

"Name":
E-mail:
URL:
Remarks: < /textarea><br></p> <p><strong>Radio button</strong></p> <p>The "Gender" field is a radio button, the HTML code is as follows:</p> <p><br><br><br></p>#Form elements <p><strong></strong>HTML form code is as follows:</p> <p><form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"></p> <p><br>This form uses the method="post" method to submit data.</p> <p></p>What is the $_SERVER["PHP_SELF"] variable? <p><strong style="line-height: 1.76em;"></strong><br></p>$_SERVER["PHP_SELF"] is a super global variable that returns the current The file name of the executed script, related to the document root. <p><br></p>So, $_SERVER["PHP_SELF"] will send the form data to the current page instead of jumping to a different page. <p><span style="line-height: 1.76em;"></span><br></p>What is the htmlspecialchars() method? <p><strong style="line-height: 1.76em;"></strong><br>The htmlspecialchars() function converts some predefined characters into HTML entities. The predefined characters for</p> <p>are:</p> <p>& (ampersand) becomes &</p> <p>" (double quotation mark) becomes "</p> <p>' (single quotation mark ) become'</p> <p>< (less than) become<</p> <p>> (greater than) become></p> <p></p>Things that need attention in PHP forms Where? <p><strong style="font-size: 18px; line-height: 1.76em;">##$_SERVER["PHP_SELF"] variables may be used by hackers!</strong></p> <p><strong style="font-size: 18px; line-height: 1.76em;">When hackers use cross-site scripting HTTP links to attack, the $_SERVER["PHP_SELF"] server variable will also be embedded in the script. The reason is that cross-site scripting is appended to the path of the executable file, so the string of $_SERVER["PHP_SELF"] will contain the JavaScript program code behind the HTTP link.</strong></p> <p><strong style="font-size: 18px; line-height: 1.76em;"><span style="line-height: 1.76em;">XSS is also called CSS (Cross-Site Script), a cross-site scripting attack. Malicious attackers insert malicious HTML code into a Web page. When a user browses the page, the HTML code embedded in the Web page will be executed, thereby achieving the special purpose of the malicious user.</span><br></strong></p> <p><strong style="font-size: 18px; line-height: 1.76em;"><span style="line-height: 1.76em;">Specify the following form file name as "test_form.php":</span><br></strong></p> <p><strong style="font-size: 18px; line-height: 1.76em;"><?php echo $_SERVER["PHP_SELF"];?>"><br></strong></p> <p><strong style="font-size: 18px; line-height: 1.76em;">Now, we use the URL to specify the submission address "test_form.php", the above code is modified as follows ;</strong></p> <p><strong style="font-size: 18px; line-height: 1.76em;">However, considering that the user will enter the following address in the browser address bar:<br></strong></p> <strong style="font-size: 18px; line-height: 1.76em;">//m.sbmmt.com/test_form.php/%22%3E%3Cscript%3Ealert ('Hacked')%3C/script%3E<p></p>## or above will be parsed to the following code and execute:<p></p>; FORM METHOD = "Post" action = "test_form.php/"><script>alert('hacked')</script><p><br></p>The script tag has been added to the code, and the alert command has been added. This Javascript code will be executed when the page loads (the user will see a pop-up box). This is just a simple example of how the PHP_SELF variable can be exploited by hackers.<p></p>Please note that any JavaScript code can be added in the <script> tag! Hackers can use this to redirect the page to another server. The page code file can protect malicious code. The code can modify global variables or obtain the user's form data.<p><br>How to avoid $_SERVER["PHP_SELF"] from being exploited?</p><p>$_SERVER["PHP_SELF"] can be avoided by using the htmlspecialchars() function.</p><p>The form code is as follows:</p><p>;</p><p></p>htmlspecialchars() Convert some predefined characters into HTML entities. Now if the user wants to take advantage of the PHP_SELF variable, the result will be output as follows:<p></p><p>,,,,, The vulnerability failed!<br></p>Use PHP to verify form data<p></p>First of all, we process all the data submitted by the user through PHP's htmlspecialchars() function.<p></p>When we use the htmlspecialchars() function, the user tries to submit the following text field:<p></p>;/script><p></p><p>This code will not be executed because it will be saved as HTML escaped code, as shown below: '//m.sbmmt.com')</script><br></p>When the user submits the form, we will do the following two things:<p></p>Use the PHP trim() function to remove unnecessary characters (such as spaces, tabs, newlines) in the user input data ).<p><br>Use the PHP stripslashes() function to remove backslashes (\) in user input data</p><p>Next let us write these filtering functions in a function we define, so It can greatly improve the reusability of code.</p><p>Name the function test_input().</p><p>Now, we can use the test_input() function to detect all variables in $_POST. The script code is as follows:</p><p>Example</p><pre class="brush:php;toolbar:false"><?php // 定义变量并默认设置为空值 $name = $email = $gender = $comment = $website = ""; if($_SERVER["REQUEST_METHOD"] == "POST") { $name = test_input($_POST["name"]); $email = test_input($_POST["email"]); $website = test_input($_POST["website"]); $comment = test_input($_POST["comment"]); $gender = test_input($_POST["gender"]); } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?></pre><p></p>Note that we are When the above script is executed, $_SERVER["REQUEST_METHOD"] will be used to detect whether the form has been submitted. If REQUEST_METHOD is POST, the form will be submitted - and the data will be validated. If the form is not submitted validation will be skipped and displayed blank.<p></p><p></p>The use of input items in the above examples is optional, and it can be displayed normally even if the user does not enter any data.<p></p>In the next chapter we will introduce how to verify the data entered by the user.<p><span style="line-height: 1.76em;"></span><br></p></strong> </div> <strong style="font-size: 18px; line-height: 1.76em;"></strong> </div> <strong style="font-size: 18px; line-height: 1.76em;"><a class="course-btn course_code_header_next" href="//m.sbmmt.com">Continuing Learning</a></strong> </div> <strong style="font-size: 18px; line-height: 1.76em;"> <div class="layui-col-md6 editor-box"> <div id="code_spread_shrink"> <div id="code_spread_shrink_show" unselectable="on"> <span>||</span> </div> </div> <div class="editor-tab js-editor-tab"> <div class="editor-left icon-left editor-op"></div> <div class="editor-view"> <ul class="clearfix" id="J_TabType" style="width: 120px; margin-left: 0px;"> <li class="ui-tabs-active"><a href="javascript:;">new file</a></li> </ul> </div> <div class="editor-right icon-right editor-op"></div> </div> <div id="editor-tabs-html" data-filename="index.html" data-lang="php" style="font-size: 16px;height:600px"> <!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title>PHP中文网</title> <script type="text/javascript" src="/js/jquery.3.5.2.min.m.js"></script> </head><div style="position: fixed;right: 0;top:100px;width: 125px; z-index:2000;"><div ><a target="_blank" rel="nofollow" href="https://www.520xingyun.com/from/188bet.php" ><img width="120px" height="550px" src="https://www.520xingyun.com/images/188_120.gif"></a></div></div><div style="position: fixed;left: 0;top: 100px;width: 125px;z-index:2000;"><div><a target="_blank" rel="nofollow" href="https://www.520xingyun.com/from/188bet.php"><img width="120px" height="550px" src="https://www.520xingyun.com/images/188_120.gif"></a></div></div> <body> <?php // 定义变量并默认设置为空值 $name = $email = $gender = $comment = $website = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { $name = test_input($_POST["name"]); $email = test_input($_POST["email"]); $website = test_input($_POST["website"]); $comment = test_input($_POST["comment"]); $gender = test_input($_POST["gender"]); } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?> <h2>PHP 表单验证实例</h2> <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> 名字: <input type="text" name="name"> <br><br> E-mail: <input type="text" name="email"> <br><br> 网址: <input type="text" name="website"> <br><br> 备注: <textarea name="comment" rows="5" cols="40">

性别: 女 男

您输入的内容是:"; echo $name; echo "
"; echo $email; echo "
"; echo $website; echo "
"; echo $comment; echo "
"; echo $gender; ?>