PHP Forms Validating Form Input: Required Fields

PHP Forms 

Validating Form Input: Required Fields

Problem

You want to make sure a value has been supplied for a form element. For example, you want to make sure a text box hasn’t been left blank.

Solution

Example  Testing a required field

         if (! filter_has_var(INPUT_POST, 'flavor')) {

              print 'You must enter your favorite ice cream flavor.';

         }

Discussion

The filter_has_var() function examines input as received by PHP before any possible modification by your code. Consistent use of the various filter functions, explained in this chapter, ensure you treat user input with the proper validation and sanitization. The first argument to filter_has_var() tells it where to look. INPUT_POST examines POST data in the request body. The other possible values are INPUT_GET (query string variables), INPUT_COOKIE (cookies), INPUT_SERVER (server information that ends up in $_SERVER), and INPUT_ENV (environment variables).

Different types of form elements cause different types of behavior in GET and POST data when left empty. Blank text boxes, text areas, and file-upload boxes result in elements whose value is a zero-length string. Unchecked checkboxes and radio buttons don’t produce any elements in GET or POST data. Browsers generally force a selection in a drop-down menu that only allows one choice, but drop-down menus that allow multiple choices and have no choices selected act like checkboxes—they don’t produce any elements in GET or POST data.

What’s worse, requests don’t have to come from web browsers. Your PHP program may receive a request from another program, a curious hacker constructing requests by hand, or a malicious attacker building requests in an attempt to find holes in your system. To make your code as robust as possible, always check that a particular element exists in the appropriate set of input data before applying other validation strategies to the element. Additionally, if the validation strategy assumes that the element is an array of values, ensure that the value really is an array by using the FILTER_REQUIRE_ARRAY filter flag.

Example  Strict form validation

        // Making sure $_POST['flavor'] exists before checking its length

        if (! (filter_has_var(INPUT_POST, 'flavor') &&

                (strlen(filter_input(INPUT_POST, 'flavor')) > 0))) {

             print 'You must enter your favorite ice cream flavor.';

        }

        // $_POST['color'] is optional, but if it's supplied, it must be

        // more than 5 characters after being sanitized

        if (filter_has_var(INPUT_POST, 'color') &&

               (strlen(filter_input(INPUT_POST, 'color', FILTER_SANITIZE_STRING)) <= 5)) {

               print 'Color must be more than 5 characters.';

        }

        // Making sure $_POST['choices'] exists and is an array

        if (! (filter_has_var(INPUT_POST, 'choices') &&

                 filter_input(INPUT_POST, 'choices', FILTER_DEFAULT,

                                        FILTER_REQUIRE_ARRAY))) {

              print 'You must select some choices.';

        }

Calling filter_input() with only two arguments applies the default filter, which does not modify any of the input data. Nothing is done to transform any submitted flavor value. The FILTER_SANITIZE_STRING filter, used against a submitted color, strips HTML tags, removes binary non-ASCII characters, and encodes ampersands. The FILTER_DEFAULT filter, applied to choices, is a way of explicitly specifying the default filter. This is useful in the last part because, as a filter flag, FILTER_REQUIRE_ARRAY needs to be in the fourth argument to filter_input().

In a moment of weakness, you may be tempted to use empty() instead of strlen() to test if a value has been entered in a text box. Succumbing to such weakness leads to problems since the one character string 0 is false according to the rules of PHP’s boolean calculations. This could lead to broken form validation if, for example, someone types 0 into a text box named children , causing $_POST['children'] to contain 0.Then empty($_POST['children']) is true—which, from a form validation perspective, is wrong.