PHP: Validation of User Data

Derek Bridge

Department of Computer Science,
University College Cork

PHP: Validation of User Data

Aims:

• to learn how to validate user data
• to get used to reading other people's code (which, in this case contains built-in functions, conditional statements, arrays, and programmer-defined functions)

Example form

<form action="process.php" method="get">
    <input type="text" name="firstname" maxlength="30" />
    <input type="text" name="surname" maxlength="30" />   
    <input type="submit" />
</form>

Example PHP script

<?php 
    require_once('output_functions.php');
    
    output_header('Now I know all about you', 'stylesheet.css');
        
    $firstname = $_GET['firstname'];
    $surname = $_GET['surname'];

    output_paragraph("Hello {$firstname} {$surname}");        
    
    output_footer('University College Cork');
?>

Validation of user's data

• Suppose both text fields are required: i.e. the user must supply a value
• A user who chooses not to supply a value might
  • leave a text field wholly empty or type one or more spaces into a text field
  • bypass the form, directly enter the URL, but leave out a name/value pair from the URL
  Class activity: Look at the URLs for these situations
• We must check for all of the above situations
• Class exercise: Also, even though maxlength="30", we must explicitly check for this too. Why?
• Note two different uses of the word 'validation' in CS1109:
  • validation of HTML and CSS
  • validation of user data

Some built-in functions

• Revision of some built-in functions
  • isset($v): returns true if $v is non-null; false otherwise
  • trim($s): strips leading and trailing spaces from string $s, e.g. trim(' Hugh ') returns 'Hugh'
  • strlen($s): returns the number of chars in string $s, e.g. strlen('abc') returns 3
• Ones you may see being used for data validation elsewhere: is_null, empty, is_int/ is_integer/ is_long, is_float/ is_double/ is_real, is_numeric

Checking firstname

• First we need to check whether the user has bypassed the form and left firstname out of the URL:

  $error = '';
  if ( ! isset($_GET['firstname']) )
  {
      $error = "Firstname is required";
  }

• Class exercise: Now check that the user hasn't left the field wholly blank or typed only spaces
• Class exercise: Finally check that the user hasn't exceeded 30 characters

Using functions

• After checking firstname, we need to check surname in a similar way
• Rather than repeat all this code, the obvious thing to do is define a function: see next slide
• If there is an error, the function puts an error message into the $errors array
• If there are no errors, it returns the value that the user entered into the text field
• We can place this function into a library, validation_functions.php

A function that checks required text fields

function get_required_string( &$user_data, $name, $label, $maxlength, &$errors )
{
    if ( ! isset($user_data[$name]) )
    {
        $errors[$name] = "{$label} is required";
        return NULL;
    }
    $value = trim($user_data[$name]);
    if ( $value == '' )
    {
        $errors[$name] = "{$label} is required";
        return NULL;
    }
    if ( strlen($value) > $maxlength  )
    {
        $errors[$name] = "{$label} must be {$maxlength} characters or less";
        return NULL;
    }
    return $value;
}

Rewritten version of the example PHP script from earlier

<?php 
    require_once('output_functions.php');
    require_once('validation_functions.php');
    
    output_header('Now I know all about you', 'stylesheet.css');
        
    $errors = array();
    $firstname = get_required_string( $_GET, 'firstname', 'Firstname', 30, $errors );
    $surname = get_required_string( $_GET, 'surname', 'Surname', 30, $errors );
    if ( count($errors) > 0 )
    {
        output_paragraph('You have errors!');
        output_unordered_list(array_values($errors));
    }
    else
    {
        output_paragraph("Hello {$firstname} {$surname}");
    }

    output_footer('University College Cork');
?>

A library for validating user data

• Take a look at the other functions in this library
• It contains functions to check all sorts of things, e.g. that the user has entered an integer in a certain range, or a float in a certain range,...

  $errors = array();
  $age = get_required_int( $_GET, 'age', 'Age', 3, $errors, 0, 120 );
  $weight_in_kg = get_required_float( $_GET, 'weight', 'Weight', $errors, 0, 500 );
  if ( count( $errors ) > 0 )
  {
  
  }
  else
  {
  
  }