YouTip LogoYouTip

Php Form Validation

* * * In this chapter, we will introduce how to use PHP to validate form data submitted by the client. * * * ## PHP Form Validation | ![Image 1: Note](#) | **We need to consider security when handling PHP forms.** In this chapter, we will demonstrate secure handling of PHP form data. To prevent hackers and spam, we need to perform secure data validation on forms. | | --- | The HTML form introduced in this chapter contains the following input fields: required and optional text fields, radio buttons, and a submit button: [View Code Β»](#) The form validation rules are as follows: | Field | Validation Rule | | --- | --- | | Name | Required. + Can only contain letters and spaces | | E-mail | Required. + Must be a valid email address (contains '@' and '.') | | Website | Optional. If present, it must contain a valid URL | | Comment | Optional. Multi-line input field (textarea) | | Gender | Required. Must select one | First, let's look at the pure HTML form code: * * * ## Text Fields The "Name", "E-mail", and "Website" fields are text input elements, and the "Comment" field is a textarea. The HTML code is as follows: "Name": E-mail: Website: Comment: * * * ## Radio Buttons The "Gender" field is a radio button. The HTML code is as follows: Gender: Female Male * * * ## Form Elements The HTML form code is as follows: <form method="post" action=""> This form uses the **method="post"** method to submit data. | ![Image 2: Note](#) | **What is the $_SERVER variable?** $_SERVER is a superglobal variable that returns the filename of the currently executing script, relative to the document root. | | --- | Therefore, $_SERVER will send form data to the current page, rather than redirecting to a different page. | ![Image 3: Note](#) | **What is the htmlspecialchars() function?** The htmlspecialchars() function converts some predefined characters to HTML entities. The predefined characters are: * & (ampersand) becomes & * " (double quote) becomes " * ' (single quote) becomes ' * (greater than) becomes > | | --- | * * * ## What to Watch Out for in PHP Forms? The $_SERVER variable can be exploited by hackers! When a hacker uses a cross-site scripting HTTP link to attack, the $_SERVER server variable can also be injected with scripts. The reason is that cross-site scripting is appended to the execution file's path, so the $_SERVER string will contain the JavaScript code following the HTTP link. | ![Image 4: Note](#) | **XSS, also known as CSS (Cross-Site Script), is a cross-site scripting attack. Malicious attackers insert malicious HTML code into a Web page. When a user browses that page, the embedded HTML code within the Web page will be executed, thereby achieving the malicious user's specific purpose.** | | --- | Specify the following form file name as "test_form.php": <form method="post" action=""> Now, we use the URL to specify the submission address as "test_form.php". The above code is modified as follows: This is fine. However, consider that a user might enter the following address in the browser's address bar: 'hacked')%3C/script%3E The above URL will be parsed into the following code and executed: alert('hacked') A script tag has been added to the code, along with an alert command. When the page loads, this JavaScript code will be executed (the user will see a pop-up box). This is just a simple example to illustrate how the PHP_SELF variable can be exploited by hackers. Please note that **any JavaScript code can be added within tags!** Hackers can use this to redirect the page to another server's page. The page code file can contain malicious code, which can modify global variables or obtain the user's form data. * * * ## How to Avoid $_SERVER Being Exploited? $_SERVER can be protected from exploitation by using the htmlspecialchars() function. The form code is as follows: <form method="post" action=""> htmlspecialchars() converts some predefined characters to HTML entities. Now, if a user tries to exploit the PHP_SELF variable, the output will be as follows: The attempt to exploit this vulnerability fails! * * * ## Using PHP to Validate Form Data First, we process all user-submitted data through PHP's htmlspecialchars() function. When we use the htmlspecialchars() function, if a user tries to submit the following text: location.href('') This code will not be executed because it will be saved as HTML-escaped code, as follows: <script>location.href('')</script> The above code is safe and can be displayed normally on the page or inserted into an email. When the user submits the form, we will do the following two things: 1. Use the PHP trim() function to remove unnecessary characters (such as spaces, tabs, newlines) from the user's input data. 2. Use the PHP stripslashes() function to remove backslashes () from the user's input data. Next, let's write these filtering functions into a custom function of our own, which can greatly improve code reusability. Name the function test_input(). Now, we can use the test_input() function to check all variables in $_POST. The script code is as follows: ## Example [Run Example Β»](#) Note that when executing the above script, we check whether the form has been submitted via $_SERVER. If REQUEST_METHOD is POST, the form will be submitted - the data will be validated. If the form is not submitted, validation will be skipped and a blank will be displayed. In the above example, all inputs are optional, so it will display normally even if the user does not enter any data. In the following chapters, we will introduce how to validate user input data.
← Php Form RequiredApi Jquery Ui Keycode β†’