Form validation: General help with theory

j_70

I could use some examples of good form validation architecture. I can program the validation functions, but am having trouble integrating them into my web page. I have a few books, but their examples are somewhat trivial in that they tell you how to validate the form, and the success event is something like a 'YOU WERE SUCCESSFUL' message. What I need to do upon successful validation is enter some data into a database or move on to the next form.

I could use some examples of what I would call multi-tier form validation where the user would log in, and then have to successfully navigate several forms. Do I do this all with PHP_SELF or do I call each form as a separate page? The problem I have had with some of the books is that their examples are not exactly what I would call 'real world'.

TIA. 😉

spookztar

Not really sure, but maybe a cascading if/else could do that? and make sanitization a function? Not very experienced at PHP/programming, so I'm a bit on shaky ground here...

if (eregi(unwanted symbols here, $yourdata)) {
Die('Data contains unwanted characters.');
}
else {
mysql_real_escape_string($yourdata);
$query1 = "INSERT INTO tablename (field1) VALUES ('$yourdata')";
//if previous query successful, present next form.
if ($query1 = "true") {
echo "Success";
//present next form here, and repeat process.
}
else {
die ('Error inserting info: ' . mysql_error());
}

In this way, one could just cascade down a selfsubmitting form, initiating forms in turn with submit buttons, form after form until the user is done.

It's not an accurate example, just a quick suggestion of sorts.

WDPEjoe

I typically model my forms systems like this:

// this stores any invalid entry error messages that may occur
$messages = array();

// whatever condition you want that specifies that the form should be processed
if (isset($_POST['submit']))
{
// process values, if there are any invalid entries, do something like this
if (!is_int($_POST['intvalue'])) { $messages[] = "You need to enter an integer"; }
if (!validate_email($_POST['email'])) { $messages[] = "The email address is invalid"; }

// once all the validation is done...
if (count($messages) < 1)
{
// if there are no messages, then we know there are no errors, so you would run your
// queries & whatnot here
// after that, if you want to direct them to another form, use header("Location: ")
}
}

// this would go at the top of your form (or wherever you're printing error messages)
foreach ($messages as $message) { print "<br />".$message; }

// and finally, you'd put your form here, submitting to PHP_SELF...

Each form has its own file/URL and is structured in the same way.

Roger_Ramjet

If you search these forums (using the search at the top of the page) for form validation you will find every aspect of this discussed exhaustively and all the quality code you could hope for.

j_70

I have following the example you have provided, but may have missed something. When I put in correct data, I receive error messages. TIA.

<?php

$messages = array();


if (isset($_POST['submit']))
{

if (!is_int($_POST['int1'])) { $messages[] = "You need to enter an integer"; }
if (!is_int($_POST['int2'])) { $messages[] = "You need to enter an integer"; }


if (count($messages) < 1)
{
print 'success';
}
}


foreach ($messages as $message) { print "<br />".$message; }

.
?>

<form method="POST"  action="<?php echo $_SERVER['PHP_SELF']; ?> ">

Integer1:
<input type="text" name="int1">
<br>
Integer2:
<input type="text" name="int2">
<input type="submit" name="submit">
</form>

WDPEjoe

Sorry for the delay, I've got a lot of different stuff on my plate right now.

Anyway, I was just trying to give you my general architecture for form building and validation. Generally, if I'm validating an integer, I do something like:

// Assuming the int is $_POST['int1']
$check = (int) $$_POST['int1'];
if ($check > [max expected] || $check < [min expected]) { $messages[] = "Expected integer between x and y, submitted value was ".$_POST['int1']; }

zingbats

I'd like to add, that posting a page to itself makes the code a lot messier. It's much nicer (I think) to post to a separate page, and let it do all the work. I mean, who wants to be taken back to the form anyway?

WDPEjoe

That's the purpose of processing the data at the beginning of the script (if submitted) and using header() to pass them on to the form completion page. Furthermore, I do want my users being back on the form page if they entered invalid data that they must re-enter. It's also very easy to put detailed messages about what they did wrong and display them before the form. Also, you can use the value="<?php print $_POST['varname']; ?>" (or equivalent for other control structures) to make their form data persist. Finally, all the code for the form and the processing is in one place, and (it may be personal preference) I would rather scroll back and forth than have to switch between files.

So, I'd say there are more reasons to have it in the same script/page than not.

halojoy

j_70 wrote:
I could use some examples of good form validation architecture.
I can program the validation functions,
but am having trouble integrating them into my web page.

TIA. 😉

I just, when browsing for latest news on SPAW Wysiwyg WebEditor,
got over a free FormValidator class (82kB ZIP) from same website.
Aside from validation it has got captcha.

I will try it on my website.
Free (GPL - to be integrated into GPL-licenced software)
Links:
Solmetra FormValidator Class
DEMO - at bottom of page
SPAW Editor v.2

Example, from the documentation included in the ZIP download:

<?php
// 1. Start session
session_start();

// 2. include the class
include_once 'formvalidator/SPAF_FormValidator.class.php';

// 3. instantiate the object
$obj = new SPAF_FormValidator();

// 4. validate
if (isset($_POST['code'])) {
  if ($obj->validRequest($_POST['code'])) {
    echo 'The code is correct!';
    // destroy successful code
    $obj->destroy();
  }
  else {
    echo 'Error - the code entered is incorrrect';
  }
}
?>

SOLMETRA FormValidator is a PHP class
used to validate web forms against automated submissions.
The process involves generating and displaying a distorted image of secret phrase
which is readable to humans but completely incomprehendable to machines - even to OCR programs.
This protection mechanism is known as CAPTCHA

SPAW Editor is a web based in-browser WYSIWYG editor control
enabling web site developers to replace a standard textarea html control
with full-featured, fully customizable, multilingual, skinable web based WYSIWYG editor.

Regards
halojoy
🙂