Tutorials PHP Validating Forms

Validating Forms

As our first project, I'll show how to validate a form. I'll use a simple contact form for this demonstration.

Basic Form

First let's create a form that allows our users to enter data. It will contain simple information like name, comment, email, and website. It's important that the file name is the same as the form's action. You have to send it to itself.

<form action="form.php" method="post">
<label for="name">Name:</label><input id="name" type="text" name="name" />
<label for="website">Website:</label><input id="website" type="text" name="website" />
<label for="email">Email:</label><input id="email" type="text" name="email" />
<label for="comment">Comment:</label><textarea id="comment" name="comment"></textarea>
<input type="submit" name="submit" value="submit"/>
</form>

Collect the data and validate it

Now this is where the if statement and regular expressions really shine. First let's tell PHP to do something after someone submits the form.

<?php
if (isset($_POST['submit'])) {
}
?>

To make things a bit simpler, put all the data into variables.

$name = $_POST['name'];
$website = $_POST['website'];
$email = $_POST['email'];
$comment = $_POST['comment'];

Now let's start the validation. In order to validate, you need to think of everything that can go wrong. Think of everything that the field can't be. The name can't be empty, the website can't be empty, the website can't be in a unknown format, the email can't be empty, the email can't be in a unknown format, the comment can't be empty. If it all checks out, then do something.

if (empty($name)) {
  echo 'name is empty';
} else if (empty($website)) {
  echo 'website is empty';
} else if (!preg_match("/https?:\/\/(www\.)?[a-zA-Z0-9_-]+\.[a-zA-Z]+/i",$website)) {
  echo 'website in invalid format';
} else if (empty($email)) {
  echo 'email is empty';
} else if (!preg_match("/[a-zA-Z0-9_-]+@[a-zA-Z]+\.[a-zA-Z\/]+/i",$email)) {
  echo 'email in invalid format';
} else if (empty($comment)) {
  echo 'comment is empty';
} else {
  // do something with the data
}

The final product

This is what the final code looks like. Be sure to do something with the data after you finish the validation. Save the file as form.php, upload it to your web server, and test it out.

<?php
if (isset($_POST['submit'])) {
  $name = $_POST['name'];
  $website = $_POST['website'];
  $email = $_POST['email'];
  $comment = $_POST['comment'];

  if (empty($name)) {
    echo 'name is empty';
  } else if (empty($website)) {
    echo 'website is empty';
  } else if (!preg_match("/https?:\/\/(www\.)?[a-zA-Z0-9_-]+\.[a-zA-Z]+/i",$website)) {
    echo 'website in invalid format';
  } else if (empty($email)) {
    echo 'email is empty';
  } else if (!preg_match("/[a-zA-Z0-9_-]+@[a-zA-Z]+\.[a-zA-Z\/]+/i",$email)) {
    echo 'email in invalid format';
  } else if (empty($comment)) {
    echo 'comment is empty';
  } else {
    echo 'validation works';
  }
}
?>

<form action="form.php" method="post">
<label for="name">Name:</label><input id="name" type="text" name="name" />
<label for="website">Website:</label><input id="website" type="text" name="website" />
<label for="email">Email:</label><input id="email" type="text" name="email" />
<label for="comment">Comment:</label><textarea id="comment" name="comment"></textarea>
<input type="submit" name="submit" value="submit"/>
</form>

It validates but is it secure?

Nope. The way it is now, you're begging for an injection attack. Use mysql_real_escape_string before querying MySQL and htmlspecialchars before displaying it to filter out dangerous data. I'll talk about injections in a later tutorial but keep in mind that you should always filter user submitted data.

Well that's all for this lesson. Try to make your own form and use different patterns. Tune in this time next week for another exciting tutorial.

Posted by on . Category: PHP


Comments

No comments posted yet

You need to register or login to post new comments.