minimum validation required on forms?

I am re-working my html/php forms, and am finding a lot of
semi-contradictory information on validation.

Heres the way I intend to handle forms:

1 - display form
2 - accept submission and validate
3 - redisplay indicating errors and populating form fields
with data previously submitted
4 - repeat as needed
5 - process data

I'm doing everything in php as I can't rely on users having javascript
enabled.

In the validation phase I can create routines to check for digits,
alpha, empty etc. I am using htmlentities() on data to be redisplayed,
and html_entity_decode() to clean data up for e-mailing, processing, or
storing. I should mention I'm using session variables to prevent
spoofing, but is there some extra step I should perform to prevent
malicious mischief?

While were on the subject, can anyone give me any good arguments on
using ereg or preg functions?

Re: minimum validation required on forms?

On 10 Apr, 15:28, William Gill wrote:
> I am re-working my html/php forms, and am finding a lot of
> semi-contradictory information on validation.
>
> Heres the way I intend to handle forms:
>
> 1 - display form
> 2 - accept submission and validate
> 3 - redisplay indicating errors and populating form fields
> with data previously submitted
> 4 - repeat as needed
> 5 - process data
>
> I'm doing everything in php as I can't rely on users having javascript
> enabled.
>
> In the validation phase I can create routines to check for digits,
> alpha, empty etc. I am using htmlentities() on data to be redisplayed,
> and html_entity_decode() to clean data up for e-mailing, processing, or
> storing. I should mention I'm using session variables to prevent
> spoofing, but is there some extra step I should perform to prevent
> malicious mischief?
>
> While were on the subject, can anyone give me any good arguments on
> using ereg or preg functions?

Regular expressions are by far the most effective way to ensure your
input matches a template - thats why nearly every programming language
implements them. You play with regexes in PHP, Perl, Awk, C, C++,
Visual BASIC, Javascript, Java, SQL, Python, Ruby and more.

You don't even need to be brilliant at understanding the syntax - you
can also google for what other people have published to find more
complex things like UK national insurance numbers, email addresses,
ISBN numbers....here's a fairly complete example for checking an email
address:

[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-] +)*@(?:[a-
z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9 ])?


I'd suggest sticking with preg - it's nearer to the regexes used in
Javascript and almost the same as Perl and awk. The regex language it
uses has reater functionality than Posix regexes (something to do with
negative look-ahead assertions). ISR reading something about ereg's
days being numbered as part of PHP.

C.

Re: minimum validation required on forms?

Hello,

on 04/10/2008 11:28 AM William Gill said the following:
> I am re-working my html/php forms, and am finding a lot of
> semi-contradictory information on validation.
>
> Heres the way I intend to handle forms:
>
> 1 - display form
> 2 - accept submission and validate
> 3 - redisplay indicating errors and populating form fields
> with data previously submitted
> 4 - repeat as needed
> 5 - process data
>
> I'm doing everything in php as I can't rely on users having javascript
> enabled.
>
> In the validation phase I can create routines to check for digits,
> alpha, empty etc. I am using htmlentities() on data to be redisplayed,
> and html_entity_decode() to clean data up for e-mailing, processing, or
> storing. I should mention I'm using session variables to prevent
> spoofing, but is there some extra step I should perform to prevent
> malicious mischief?

You may want to take a look at this forms generation and validation class:

http://www.phpclasses.org/formsgeneration

It works as you describe, but it can perform both client side and server
side types of validation by generating the necessary Javascript to
validate the form before submitting, and do the same validations with
the class code. Here is a generic example:

http://www.meta-language.net/forms-examples.html?example=tes t_form


--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

Re: minimum validation required on forms?

William Gill wrote:
> I am re-working my html/php forms, and am finding a lot of
> semi-contradictory information on validation.
>
> Heres the way I intend to handle forms:
>
> 1 - display form
> 2 - accept submission and validate
> 3 - redisplay indicating errors and populating form fields
> with data previously submitted
> 4 - repeat as needed
> 5 - process data
>
> I'm doing everything in php as I can't rely on users having javascript
> enabled.
>

You are correct not to rely on JavaScript for form validation. What I do
however is use JavaScript to do a "preflight" check, but rely on the PHP
to validate. JavaScript is not required but if it is available it can
alert the user of their mistake right away and not have to wait until
they post the form have it thrown back at them with a "do over".

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com