There's a vital need to validate user inputs in PHP - to make sure that users have put something sensible into the boxes on your forms. And there are multiple ways of doing this:
a) You can check the incoming strings against
regular expressions. In the old days you may have used the ereg functions, but these days you would use preg functions - slighly more complex, but more powerful and quicker. And the ereg functions have been deprecated.
Using regular expressions, you need to define yourself what a particular string should look like - so you have a great flexibility
b) From PHP 5.2, you can use the
filter_var function to filter what's in a variable. It will return FALSE if there's no match, or the value that the variable contains if it does match. For example, "does $sample contain an integer?":
$result = filter_var($sample, FILTER_VALIDATE_INT);
And (sample program
[here]) you get results like:
Looking at 404
Integer result - 404
int(404)
and
Looking at Graham Ellis
NOT an Integer
bool(false)
c) If you're using the
Zend Framework, there's a validation element available within each form component / widget and you can use that to check is the form have been validly filled in.
So - which of these should you use? If you're using the MVC (Model View Controller) approach, using the Zend Framework, then it's logical to use the functions that are provided by the framework. For major systems, some sort of framework is an excellent idea - whether you use Zend, one of the others, or routines that you write yourself (your own framework) is up to you. If you use your own, then you'll be coding one of the other two options, once only, within your own framework setup as part of your standard.
filter_var is an excellent tool to use for checking specific types - email addreses, integers, IP addresses and the like; they're coded into PHP's functions so you san save yourself a great deal of work in formulating regular expressions, and you know they'll be updated and maitained with future releases as standards may change, rather than you having to update regular expressions yourself.
For the application-specific cases (and that include things like UK postcodes), you can either use preg routines directly, or you can flag filter_var to work with regular expressions, and pass them in.
(written 2012-11-18, updated 2012-11-24)
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H115 - Designing PHP-Based Solutions: Best Practice [123] Short underground journeys and a PHP book - (2004-11-19)
[237] Crossfertilisation, PHP to Python - (2005-03-06)
[261] Putting a form online - (2005-03-29)
[340] Code and code maintainance efficiency - (2005-06-08)
[394] A year on - should we offer certified PHP courses - (2005-07-28)
[426] Robust checking of data entered by users - (2005-08-27)
[563] Merging pictures using PHP and GD - (2006-01-13)
[572] Giving the researcher power over database analysis - (2006-01-22)
[839] Reporting on the 10 largest files or 10 top scores - (2006-08-20)
[896] PHP - good coding practise and sticky radio buttons - (2006-10-17)
[936] Global, Superglobal, Session variables - scope and persistance in PHP - (2006-11-21)
[945] Code quality counts - (2006-11-26)
[1047] Maintainable code - some positive advice - (2007-01-21)
[1052] Learning to write secure, maintainable PHP - (2007-01-25)
[1166] Back button - ensuring order are not submitted twice (PHP) - (2007-04-28)
[1181] Good Programming practise - where to initialise variables - (2007-05-09)
[1182] Painting a masterpiece in PHP - (2007-05-10)
[1194] Drawing hands on a clock face - PHP - (2007-05-19)
[1321] Resetting session based tests in PHP - (2007-08-26)
[1323] Easy handling of errors in PHP - (2007-08-27)
[1381] Using a MySQL database to control mod_rewrite via PHP - (2007-10-06)
[1389] Controlling and labelling Google maps via PHP - (2007-10-13)
[1390] Converting from postal address to latitude / longitude - (2007-10-13)
[1391] Ordnance Survey Grid Reference to Latitude / Longitude - (2007-10-14)
[1482] A story about benchmarking PHP - (2007-12-23)
[1487] Efficient PHP applications - framework and example - (2007-12-28)
[1490] Software to record day to day events and keep an action list - (2007-12-31)
[1533] Short and sweet and sticky - PHP form input - (2008-02-06)
[1623] PHP Techniques - a workshop - (2008-04-26)
[1694] Defensive coding techniques in PHP? - (2008-07-02)
[1794] Refactoring - a PHP demo becomes a production page - (2008-09-12)
[2199] Improving the structure of your early PHP programs - (2009-05-25)
[2221] Adding a newsfeed for your users to a multipage PHP application - (2009-06-06)
[2430] Not just a PHP program - a good web application - (2009-09-29)
[2679] How to build a test harness into your PHP - (2010-03-16)
[3539] Separating program and artwork in PHP - easier maintainance, and better for the user - (2011-12-05)
[3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
[3820] PHP sessions - a best practice teaching example - (2012-07-27)
[4069] Even early on, separate out your program from your HTML! - (2013-04-25)
[4118] We not only teach PHP and Python - we teach good PHP and Python Practice! - (2013-06-18)
[4326] Learning to program - comments, documentation and test code - (2014-11-22)
[4641] Using an MVC structure - even without a formal framework - (2016-02-07)
[4691] Real life PHP application using our course training MVC example - (2016-06-05)
H110 - PHP - HTML Web Page Data Handling [50] Current cost in your local currency - (2004-09-16)
[589] Robust PHP user inputs - (2006-02-03)
[789] Hot answers in PHP - (2006-07-02)
[1001] .pdf files - upload via PHP, store in MySQL, retrieve - (2006-12-19)
[1053] Sorting people by name in PHP - (2007-01-26)
[1136] Buffering output - why it is done and issues raised in Tcl, Perl, Python and PHP - (2007-04-06)
[1169] Emailing as HTML (Web Page) - PHP example - (2007-04-30)
[1831] Text formating for HTML, with PHP - (2008-10-11)
[2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
[2046] Finding variations on a surname - (2009-02-17)
[2107] How to tweet automatically from a blog - (2009-03-28)
[2135] What features does this visitors browser support? (PHP) - (2009-04-22)
[3036] Sending out an email containing HTML from within a PHP page - (2010-11-07)
Some other Articles
Reporting the full stack trace when you catch a Python exceptionMelksham Bus Issues - to be raised at First Bus Customer PanelStoring your intermediate data - what format should you you choose?First match or all matches? Perl Regular ExpressionsFiltering PHP form inputs - three ways, but which should you use?Red sky at nightThe bedrooms at Well House Manor35 minutes is only a slight delay on our railway serviceTwerp - A person regarded as insignificant and contemptibleOn rememberance, on war, and on preventing the war cycle