Validate form data

Forum Moderators: coopster

Message Too Old, No Replies

Validate form data

Ann_G

2:40 am on Mar 23, 2005 (gmt 0)

I seen so many different ways of validating form data, I'm confused. If I want to validate my form data but don't care to post a reply message if no data is entered in a field, would this be ok?

// Check for name.
if (isset ($_POST['name'])) {
$name = ($_POST['name']);
}
else {
$name = '';
}

StupidScript

10:24 pm on Mar 23, 2005 (gmt 0)

Sure, why not?

You're not exactly "validating" the form, rather you are assigning a value to a parameter when the user did not indicate one. "Validation" means checking to see that all required/desired fields have been filled before the form is processed.

You can do that at the client using Javascript or some client-side process, or you can do it at your server (as you are).

In either case, the point of "validation" is to keep bad or nonexistent data out of your processing routine (database, etc.). If you choose to accept an "invalid" form and then parse and fix the input before processing it, then power to ya! :)

dreamcatcher

11:05 pm on Mar 23, 2005 (gmt 0)

One other thing is, its useful to use trim() when receiving form data. If you don`t, then someone could for example just hit the space bar in a form field and use whitespace to execute the code. However, if you aren`t doing error checking, unecessary really. LOL!

I would agree with StupidScript, do some client checking at least.

Ann_G

11:56 pm on Mar 23, 2005 (gmt 0)

I guess I'm still a bit confused. Do you mean I would have to do something like this to validate? I'm not sure where I would add the trim function.

// Check for name.
if (isset ($_POST['name'])) {
$name = ($_POST['name']);
}
else {
$name = 'FALSE';
echo 'Please enter as name';
}

$name = trim($name)

Would it be better to use this instead of isset?

// Check for name.
if (empty($_POST['name'])) {
$name = 'FALSE';
echo 'Please enter as name';
}
else {
$name = ($_POST['name']);
}

ironik

11:59 pm on Mar 23, 2005 (gmt 0)

gonna throw my 2 cents in. Use both client side and server side validation for your forms. Client side can be overidden easily by the user so it should only be used to reduce the load on your hosting server (doesn't have to reload the page every time someone makes a mistake). Server side validation can't be overidden by the user and should be the validation you use before taking any action on foreign data.

I'd avoid using only client side as you're leaving yourself open to security exploits.

ironik

12:08 am on Mar 24, 2005 (gmt 0)

If you know for sure that a variable exists then empty() can be quite a useful function as it tests for an existing variable that does not contain any information (which can be null, "", array() or whatever).

If you use the trim function it removes white space from before and after a string. If someone has entered a single white space " " then I don't think the empty function will return true, as there is a character in there. Better to trim it, or also to test for the string length of your post variable to make sure someone has entered some data.

I've changed the code a little:

// Check for name.
$name = trim($_POST['name']);
if (empty($name)) {
$name = FALSE;
echo 'Please enter as name';
}

Ann_G

1:27 am on Mar 24, 2005 (gmt 0)

Thanks very much. I'll try it.

dreamcatcher

8:47 am on Mar 24, 2005 (gmt 0)

Thanks ironik. Sorry I wasn`t a little clearer. Its a useful little function that I always use when processing form data. You can also use ltrim() which strips whitespace from the beginning of the string only. And likewise rtrim() or chop() strips whitespace from the beginning of a string.

Ann_G

4:46 pm on Mar 24, 2005 (gmt 0)

Thanks again to all of you. I put in the escape and trim functions like you said and works fine.