PHP form validation
We need to consider security when processing PHP forms.
In this chapter we will demonstrate the secure processing of PHP form data. In order to prevent hackers and spam, we need to perform data security verification on the form.
The HTML form introduced in this chapter contains the following input fields: Must be with optional text fields, radio buttons , and submit button:
Instance
PHP.cn PHP 表单验证实例
Program running result:
The above form validation rules are as follows:
| Field | Verification rules |
| Name | is required. + Can only contain letters and spaces |
| is required. + Must be a valid email address (contains '@' and '.') | |
| URL | Optional. If present, it must contain a valid URL |
| Remarks | Optional. Multi-line input field (text field) |
| Gender | Required. Must select a |
Let’s break the code apart and look at it:
Text Field
The "Name", "E-mail", and "Website" fields are text input elements, and the "Remarks" field is the text area textarea.
HTML code is as follows:
##Name: E-mail:
Website:
Note:
single button
The HTML code is as follows:
##Gender:femalemale
Form elements
This form uses method="post" method to submit data.
What is the $_SERVER["PHP_SELF"] variable?
$_SERVER["PHP_SELF"] is a super global variable that returns the file name of the currently executing script.
Therefore, $_SERVER["PHP_SELF"] sends the form data to the page itself instead of jumping to another page. In this way, users can get error message information on the form page.
What is the htmlspecialchars() function?
htmlspecialchars() function converts special characters into HTML entities. This means that HTML characters like < and > are replaced with < and > . This prevents attackers from exploiting the code by injecting HTML or JavaScript code into the form (cross-site scripting attacks).
Important Tips About PHP Form Security
$_SERVER["PHP_SELF"] variables can be exploited by hackers!
If your page uses PHP_SELF, users can enter an underscore and execute cross-site scripting (XSS), also known as css.
reminder: Cross-site scripting (XSS) is a computer security vulnerability type, commonly in Web applications. XSS enables an attacker to enter client-side script into web pages viewed by other users.
Suppose we have the following form in a page named "test_form.php":
Now, we use the URL to specify the submission address "test_form.php". The above code is modified as follows:
That's fine.
However, consider that the user will enter the following address in the browser address bar:
//m.sbmmt.com/test_form.php/%22 %3E%3Cscript%3Ealert('hacked')%3C/script%3E
The above URL will be parsed into the following code and executed:
A script tag has been added to the code, and an alert command has been added. This Javascript code will be executed when the page loads (the user will see a pop-up box). This is just a simple example of how the PHP_SELF variable can be exploited by hackers.
Please note, Any JavaScript code can be added in the ">
Validate form data via PHP
The first thing we need to do is pass all the variables through PHP's htmlspecialchars() function. After we use the htmlspecialchars() function, if the user tries to submit the following content in the text field:
- The code will not be executed because it will be saved as an escaped code, like this:
Now this code is displayed on the page It is safe online or by e-mail. When the user submits the form, we have to do two more things: 1. (Through the PHP trim() function) Remove unnecessary characters (extra spaces) in the user input data , tab character, newline) 2. (Through PHP stripslashes() function) Remove backslashes (\) in user input data Next we create a check function (similar to This is more efficient than writing code over and over again). We named the function test_input(). Now, we can check each $_POST variable through the test_input() function, the script is like this:
Example
您输入的内容是:"; echo $name; echo "PHP中文网(php.cn) PHP 表单验证实例
"; echo $email; echo "
"; echo $website; echo "
"; echo $comment; echo "
"; echo $gender; ?> Let’s run the program and see
Note: When we execute the above script, we will use $_SERVER["REQUEST_METHOD"] to detect whether the form has been submitted. If REQUEST_METHOD is POST, the form will be submitted - and the data will be validated. If the form is not submitted validation will be skipped and displayed blank.
The use of input items in the above examples is optional, and it can be displayed normally even if the user does not enter any data.
In the next chapter we will introduce how to verify the data entered by the user.
![Front-end Vue3 actual combat [handwritten vue project]](https://img.php.cn/upload/course/000/000/068/639b12e98e0b5441.png)
![APIPOST tutorial [Popularization of technical concepts related to network communication]](https://img.php.cn/upload/course/000/000/068/63996f34c6c94370.png)
