Using $PHP_SELF as form action

Norman_Graham

Can anyone direct me to a solid tutorial/article, demonstrating good coding practices, on form validation with PHP and in particular the use of $PHP_SELF. I have seen a few, e.g. http://www.devshed.com/Server_Side/PHP/FormValidatorClass/page11.html. This one is no doubt excellent but I'm still working on understanding OOP and am not ready for this complex example. Another article is http://www.thickbook.com/extra/php_formcem.phtml, however it seems to demonstrate sloppy coding which, being a learner, is something I try and avoid.

I already have a form with built in validation, but it only half works. I previously had a form which redirected to another file for validation - that was easy, but not elegant.

Btw - I'm well aware of the cogent arguments for using JS for form validation and PHP only for passing the information on via e-mail or into the DB, but I want to make the PHP approach work first and I will replace the validation with JS at a later date.

Thanks for your help

Norman

Weedpacket

There are some articles on this site (I'm maxing out my bandwidth right now, so I leave it to you to find them) on safe coding techniques; note that some of them are written by Tim Perdue, who is the (principal) author of PHPBuilder and SourceForge.

I'd love to know what these "cogent arguments" are. Relying on Javascript alone for your form validation is just dumb: it just means you'll allow unvalidated form data to enter your system without validating it.

Norman_Graham

Well perhaps I explained that badly - I meant JS to find out if the user has filled in all the fields etc. and produce error messages for empty fields. The actual validation - making sure the info is as intended and then making sure that some joker hasn't put anything nasty in - should be done by PHP. I just meant that I've heard the argument that client-side coding should check if you have a proper data set before sending the data to the server for processing.

Thx

Norm

superwormy

My reccomendation would be to code the PHP validation first as you've said, and it should validate EVERYTHIGN. Proper data types, proper field names, make sure everytyhings filled in, etc.

Javascript should be a convienence thing for the user, and THATS IT, because you can't rely on Javascript to truly validate everytyhing. It's just too easy to turn it off.

paulnaj

Norman,

A general tip on using the built-in variables: make sure that they are actually available to functions ... they are not necessarily global ... it's a compilation-preference (check the manual for details).

It's simple to check however: simply write a function that echoes $PHP_SELF to the browser

function print_self(){
echo $PHP_SELF;
}

... if nothing is printed, you will need to include the line ...

global $PHP_SELF;

... to every function that uses $PHP_SELF.

i.e.
function print_self(){
global $PHP_SELF;

echo $PHP_SELF;
}

Hope that helps!

superwormy

The manual seems to imply that $SERVER, $GET, $POST, $REQUEST, $COOKIE, $SESSION however, are automatically 'superglobal' to everything ( including functions ) as of PHP 4.1.0...

Norman_Graham

Yeah, I strongly suspect you're right, Superwormy. My impression from the manual was that all 'pre-defined' variables are automatically global and therefore a global statement is unnecessary - I've never seen it declared separately in a form that uses $PHP_SELF as action. And, yes, you're right about the problem of having JS switched off. If I was writing a really big and complicated form I would write code to check for JS and have two different validation paths based on the result - one in which JS checks for completeness before switching to PHP for validation - but it's hardly worth it for my piddling little 'send me your comments' form. I'll stick to what I know and love - PHP.

However, the technique of writing variables to the browser is a good debugging approach, so thanks for the tip anyway, Paulnaj.

What do you think of this thread? I've mirrored Delstrange's approach in a lot of ways, although he doesn't check for nasty scripts because his final action is just an e-mail as opposed to a DB insertion.

Thanks

Norm

ednark

if you are looking for a good php-side Validation thingy check out the one on pear.php.net

its an object where you can store validation information and validate things pretty easy.

i don't trust js validation one clock cycle. anyone can simply turn of JS altogether so you have to do server-side checking just to be safe anyway, so i don't see and need for js validation. thems my 2cents

Norman_Graham

Thanks for that, Ednark. I've just been working through the form validator class (http://www.devshed.com/Server_Side/PHP/FormValidatorClass/page11.html) which I mentioned in my previous post and I think I understand it, which means that I could attempt to understand the PEAR class/module. OOP has been a bit of a stumbling block for me up till now.

I agree about risky reliance on JS - I may build in an optional client-side routine to check for a full data set before further processing with PHP at some point in the future, but I'll go for the full PHP validation process at the moment.

Thanks everyone

Norm 🙂

Weedpacket

Originally posted by Norman Graham
I agree about risky reliance on JS - I may build in an optional client-side routine to check for a full data set before further processing with PHP at some point in the future, but I'll go for the full PHP validation process at the moment.

I prefer this method: JS validation for stuff that can be checked client-side (not everything can be), but validate everything server-side regardless. Those using the form with Javascript enabled get the more immediate response (and avoids an unnecessary server hit), while stuff sent by those with Javascript turned off or have bypassed the form completely is still properlty validated.

ednark

yeah but thats more work 🙁

Norman_Graham

Ah, but I'm not afraid of work - I just don't like spending hours doing completely the wrong thing.

Thanx guys - I'm now going to try and adapt Melonfire's extensible form-validator class for my own purposes and see how I get on with my first attempt at utilising an OOP approach. Could be fun.

Norm