PHP form validation

PHP Form Validation

In this chapter we will introduce how to use PHP to verify form data submitted by the client.

User input should be validated (via client script) whenever possible. Browser validation is faster and reduces the load on the server.

If user input needs to be inserted into the database, you should consider using server validation. A good way to validate a form on the server is to pass the form to itself, rather than jumping to a different page. This way users can get error messages on the same form page. It will be easier for users to find errors.

#We need to consider security when processing PHP forms.

In this chapter we will demonstrate the secure processing of PHP form data. In order to prevent hackers and spam, we need to perform data security verification on the form.

PHP form validation example

The above form uses the following validation rules:

##First let’s take a look at the pure HTML code of this form:

Text field

name, email and website are text input elements, and the comment field is a text box. The HTML code is like this:

Name:  E-mail:  Website:  Comment: 

Radio button

gender field is single Select button, the HTML code is like this:

Gender: Female Male

Form element

The HTML code for the form is like this:

">

When this form is submitted, form data is sent via method="post".

What is the $_SERVER["PHP_SELF"] variable?

$_SERVER["PHP_SELF"] is a super global variable that returns the file name of the currently executing script.

Therefore, $_SERVER["PHP_SELF"] sends the form data to the page itself instead of jumping to another page. In this way, users can get error message information on the form page.

What is the htmlspecialchars() function?

htmlspecialchars() function converts special characters into HTML entities. This means that HTML characters like < and > are replaced with < and > . This prevents attackers from exploiting the code by injecting HTML or JavaScript code into the form (cross-site scripting attacks).

Important Tips About PHP Form Security

$_SERVER["PHP_SELF"] variables can be exploited by hackers!

If your page uses PHP_SELF, users can enter an underscore and execute cross-site scripting (XSS).

Tip: Cross-site scripting (XSS) is a type of computer security vulnerability that is common in web applications. XSS enables an attacker to enter client-side script into web pages viewed by other users.

Suppose we have a page named "test_form.php" with the following form:

">

Now, if the user enters the normal URL in the address bar: "http://www. php.cn/test_form.php", the above code will be converted to:

So far ,everything is normal.

However, if the user types the following URL in the address bar:

//m.sbmmt.com/test_form.php/%22%3E%3Cscript%3Ealert('php ')%3C/script%3E

In this case, the above code will be converted to:

This code adds a script and a prompt command. And when the page loads, the JavaScript code will be executed (the user will see a tooltip). This is just a simple and harmless example of how the PHP_SELF variable can be exploited.

You should realize that you can add any JavaScript code inside the

- The code will not be executed because it will be saved as an escaped code, like so:

Now this code is displayed on the page or in the e-mail is safe.

When the user submits the form, we have to do two more things:

1. (Through the PHP trim() function) Remove unnecessary characters (extra spaces) in the user input data , tab character, newline)

2. (Through PHP stripslashes() function) Remove backslashes (\) in user input data

Next we create a check function (similar to This is more efficient than writing code over and over again).

We named the function test_input().