Form data validation: same script vs. separate script

rmiller1985

I've got a script that loads a template which has a form. I know that I can set the form "action" to point back to the same script for data validation, but I find that that makes the script really big, and the logic hard to follow. I'd rather point the "action" to a different script, and if the data doesn't pass the validation tests, redirect back to the original script.

The problem is re-displaying all of the data that was entered in the form: as a user, there's nothing I find more annoying than entering ten fields of data, only to have the web page come back and tell me I screwed up ONE of the fields but at the same time wiping out the data that I entered in the other NINE. It appears that all of the $_POST data is gone, since I've gone to an intermediate script.

Is there any clean way around this, or do I need to choose between having two scripts for easier maintenance but not being able to redisplay the data entered, or being able to redisplay the data but having to put all of the code in a script that's really big?

Thanks,
Rich

bretticus

arrggghhh...

I suppose you could serialize your data in session variables. You could save all your POST data in hidden fields on the validation page and post that back to your original form. BUT...long script or not, it has always been easier to POST to the same script and handle the validation and, especially, "re-value" the form inputs. If your code gets cludgy, just make some functions for validation.

rmiller1985

Hey now, that's not the response I wanted!

But it is the one I expected. 🙂 Thanks, I'll proceed as I expected I'd have to.

Cheers,
Rich

bretticus

sorry, it not what you wanted to hear, but if you'd had to deal other ppl scripts like I have where they do it that way (and it's always a pain in the arse to maintain or extend), you'd say "arrrggghhh" too ;-)
Seriously, it's so easy to put down <input type="text" name="txtbox" value="<?=$_POST['txtbox']?>"> if you can explain to me why that makes life so difficult...maybe I'll believe you ;-). Othewise, good luck!

rmiller1985

I hadn't thought of doing it that way.

I've got my presentation and logic pretty much separated by the use of PEAR IT templates. So I validate the data, and if there are any errors, I manually re-populate the form fields.

For example, in my template I'll have something like this:

In the validation portion of my script, I'll have something like this:

if (strcmp($_POST["textbox"],"") == 0) {
// Set an error code, etc.
}

Then later, if there were any errors, I'll do this:

$templateObject->setVariable("TV",$_POST["textbox"]);

I've seen inline snippets like what you posted before, but I've never written code that way. I'll consider it; if I can keep the presentation and the logic separate, I might try it.

Rich

liquorvicar

i'm with you rmiller. for small(-ish) sites it might be easier to submit back to the same script and re-use the $POST data but i find in large sites where you want to abstract the DB, logic and display it's not possible.
i use a separate action script and redirect back to the form on failure or a success page on success. in the first case, you could serialize $POST into a session variable. then on the form page you check if your $_SESSION['post'] variable is there and if so unserialize and use to populate the form.

rmiller1985

Can you give me an example of "serializing $POST data"? Do you push each $POST element into its own $SESSION element? Or can you actually put the entire $POST variable into one $_SESSION element?

(As you might guess, I'm fairly new to this.)

Thanks,
Rich

liquorvicar

you could do either.

foreach ($_POST as $key=>$value) {
    $_SESSION['key'] = $value;
}

$_SESSION['post'] = serialize($_POST);

then you can access the values in your form either with just $SESSION['myformfield'] or with

$my_post_data = unserialize($_SESSION['post']);
$my_post_data['myformfield']...

rmiller1985

Wow, thanks! I'll give it a try!

Cheers,
Rich

Drakla

My code used to be a whole mess when submitting back to complex pages, now I have functions like this that I either define at the bottom of the page, or in a functions script

function fill_user_data()
{
	global $userData, $dbData;

$fields = array('title','name','surname','address','address2','town','county','postcode','tel','mobile',
	'username','password','email','gender','dobday','dobmonth','dobyear','paypal','chequename');

if ( get_magic_quotes_gpc() )
	foreach ($fields as $field)
		$_REQUEST[$field] = @stripslashes($_REQUEST[$field]);

foreach ($fields as $field)
{
	$dbData[$field] = '';

	if (isset($_REQUEST[$field]))
		$dbData[$field] = mysql_escape_string(trim($_REQUEST[$field]));

	$userData[$field] = htmlspecialchars($_REQUEST[$field]);
}
}

It's called at the top of the script, then any input fields have <?= userData['name'] ?> etc in them that's already cleaned, stripped, and ready to go to the database if they're all valid - and if an extra field is needed then you just add it to the array, loads of my code is based on names in arrays, and I wish I'd thought of it a lot earlier than I did. I've recently written a whole thing to handle request that deals with everything for me, it's simple but way effective.

I can't be bothered to attach it, so I'll paste - if anyone wants me to nuke it say so and I will

/*	Class to handle stripping, escaping, trimming and field checking of request variables
 *
 *	This will be a beauty for handling and verifying input
 *
 *	funcs strip, trim, specialchars, escape, reset, verify
 */

class RequestHandler
{
	var $data;				// copy of request data, auto de-slashed if need be
	var $reqFilled;			// array list of fields that have to be filled when verify is called
	var $reqNumeric;		// array of fields that have to be numeric
	var $reqMinLen;		// associative array of $key => minimum lengths
	var $errors;				// array of error messages

function RequestHandler()
{
	$this->data 		= $_REQUEST;
	$this->errors 		= array();
	$this->reqFilled 	= array();
	$this->reqNumeric 	= array();
	$this->reqMinLen = array();

	if (get_magic_quotes_gpc())
		$this->strip();
}

function strip()
{
	$this->recurse_it($this->data, 0, 'stripslashes');
}

function trim()
{
	$this->recurse_it($this->data, 0, 'trim');
}

function specialchars()
{
	$this->recurse_it($this->data, 0, 'htmlspecialchars');
}

function escape()
{
	$this->recurse_it($this->data, 0, 'mysql_escape_string');
}

	// hope you appreciate how lovely this is

function recurse_it(&$in, $dead, $function)
{
	if ( is_array($in) )
		array_walk($in, array($this, 'recurse_it'), $function);
	else
		$in = $function($in);
}

function reset()
{
	$this->RequestHandler();
}

	// returns true or false dependent on the status of required fields

function verify()
{
	$errCnt = 0;

	foreach ($this->reqFilled as $key)
	{	if (empty($this->data[$key]))
		{
			$this->errors[] = 'field "' . $key. '" empty';
			$errCnt++;
		}
	}

	foreach ($this->reqNumeric as $key)
	{	if (!isset($this->data[$key]) || !is_numeric($this->data[$key]))
		{
			$this->errors[] = 'field "' . $key. '" not numeric';
			$errCnt++;
		}
	}

	foreach ($this->reqMinLen as $field => $len)
	{	if (!isset($this->data[field]) || strlen($this->data[$field]) < $len)
		{
			$this->errors[] = 'field "' . $field . '" less than ' . $len . ' chars';
			$errCnt++;
		}
	}

	return $errCnt ? false : true;
}

	// takes array of field names that must be filled

function set_req_filled($rf)
{
	$this->reqFilled = $rf;
}

	// takes array of fields that must be numeric

function set_req_numeric($rn)
{
	$this->reqNumeric = $rn;
}

	// takes associative array of field names and their min length

function set_req_minimum($rm)
{
	$this->reqMinLen = $rm;
}
}