PHP Form Validation
In this chapter we will introduce how to use PHP to verify form data submitted by the client.
User input should be validated (via client script) whenever possible. Browser validation is faster and reduces the load on the server.
If user input needs to be inserted into the database, you should consider using server validation. A good way to validate a form on the server is to pass the form to itself, rather than jumping to a different page. This way users can get error messages on the same form page. It will be easier for users to find errors.
#We need to consider security when processing PHP forms.
In this chapter we will demonstrate the secure processing of PHP form data. In order to prevent hackers and spam, we need to perform data security verification on the form.
PHP form validation example
The above form uses the following validation rules:
##First let’s take a look at the pure HTML code of this form:Text field
name, email and website are text input elements, and the comment field is a text box. The HTML code is like this:Name: <input type="text" name="name"> E-mail: <input type="text" name="email"> Website: <input type="text" name="website"> Comment: <textarea name="comment" rows="5" cols="40"></textarea>
Radio button
gender field is single Select button, the HTML code is like this:Gender: <input type="radio" name="gender" value="female">Female <input type="radio" name="gender" value="male">Male
Form element
The HTML code for the form is like this:<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">When this form is submitted, form data is sent via method="post".
What is the $_SERVER["PHP_SELF"] variable?
$_SERVER["PHP_SELF"] is a super global variable that returns the file name of the currently executing script. Therefore, $_SERVER["PHP_SELF"] sends the form data to the page itself instead of jumping to another page. In this way, users can get error message information on the form page.What is the htmlspecialchars() function?
htmlspecialchars() function converts special characters into HTML entities. This means that HTML characters like < and > are replaced with < and > . This prevents attackers from exploiting the code by injecting HTML or JavaScript code into the form (cross-site scripting attacks).Important Tips About PHP Form Security
$_SERVER["PHP_SELF"] variables can be exploited by hackers!If your page uses PHP_SELF, users can enter an underscore and execute cross-site scripting (XSS).
Tip: Cross-site scripting (XSS) is a type of computer security vulnerability that is common in web applications. XSS enables an attacker to enter client-side script into web pages viewed by other users.
Suppose we have a page named "test_form.php" with the following form:
<form method="post" action= "<?php echo $_SERVER["PHP_SELF"];?>">
Now, if the user enters the normal URL in the address bar: "http://www. php.cn/test_form.php", the above code will be converted to:
<form method="post" action="test_form.php">
So far ,everything is normal.
However, if the user types the following URL in the address bar:
//m.sbmmt.com/test_form.php/%22%3E%3Cscript%3Ealert('php ')%3C/script%3E
In this case, the above code will be converted to:
<form method="post" action="test_form.php "/><script>alert('php')</script>
This code adds a script and a prompt command. And when the page loads, the JavaScript code will be executed (the user will see a tooltip). This is just a simple and harmless example of how the PHP_SELF variable can be exploited.
You should realize that you can add any JavaScript code inside the <script> tag! Hackers can redirect users to a file on another server, and malicious code in that file can change global variables or submit a form to a different address to save user data, etc.
How to prevent $_SERVER["PHP_SELF"] from being exploited?
Using the htmlspecialchars() function can prevent $_SERVER["PHP_SELF"] from being exploited.
The form code is like this:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> ;
htmlspecialchars() function converts special characters into HTML entities. Now, if the user attempts to exploit the PHP_SELF variable, it will result in the following output:
<form method="post" action="test_form.php/"><script>alert('php')< /script>">
Cannot be exploited, no harm!
<script>location.href('//m.sbmmt.com')</script>
Now this code is displayed on the page or in the e-mail is safe.
When the user submits the form, we have to do two more things:
1. (Through the PHP trim() function) Remove unnecessary characters (extra spaces) in the user input data , tab character, newline)
2. (Through PHP stripslashes() function) Remove backslashes (\) in user input data
Next we create a check function (similar to This is more efficient than writing code over and over again).
We named the function test_input().