[RESOLVED] Using PHP to Validate Data

amy_damnit

I'm new to PHP and following one of Larry Ullman's PHP books.

In the book, he shows how to use PHP to validate data (on the server side).

My question is...

What is the best way to validate data? Client-side (e.g. JavaScript)? Server-side (e.g. PHP)? Or another technique?

I always thought you validated data on the client side, but maybe that isn't the best way?!

How do the "pro's" do it?

Thanks,

Amy
🙂

devinemke

amy.damnit;10914237 wrote:
What is the best way to validate data? Client-side (e.g. JavaScript)? Server-side (e.g. PHP)?

both. the bottom line is this: never trust user input. assume the worst.

dagon

client side is often faster and looks nicer and you can do all that pretty js stuff, but as js may be disabled, you always have to do it server side, where client side is optional.

rickywh

From what I read on the internet the best way to validate user input is to validate on both the client and the server for maximum efficiency and you also save server processing by doing the clientside validation.

So you validate both ways for best results and effect

Ricky

NogDog

Since you know you must validate on the server side, I normally take care of that first. Then if time/budget allows or the customer requires it, I'll add client-side validation where appropriate, viewing it as a UI enhancement, not a basic functional requirement.

amy_damnit

Wow, that was a pretty consistent series of replies!

I'm new to web-programming and really wasn't sure what to think. (I guess I just assumed you always used JavaScript?!)

A few follow-up questions...

1.) Would you ever have to worry about server-side data validation creating a huge performance hit on a busy site (i.e. 100-200 concurrent users)?

2.) Other than set choices in a list (e.g. drop-downs, list-boxes, radio-buttons, etc), is there any way to make data validation any easier for PHP?)

3.) On the client, is there any other way to legitimately valid data other than JavaScript?

Thanks,

Amy

NogDog

amy.damnit;10914291 wrote:
Wow, that was a pretty consistent series of replies!

I'm new to web-programming and really wasn't sure what to think. (I guess I just assumed you always used JavaScript?!)

A few follow-up questions...

1.) Would you ever have to worry about server-side data validation creating a huge performance hit on a busy site (i.e. 100-200 concurrent users)?

I suppose you can worry about it; but at the same time you have to worry about what might happen if your script allows invalid data to be processed. Generally, when talking about pure PHP code, you're talking about differences in milliseconds (or less) of execution time when you add/delete relatively simple function calls and such. Probably the single most significant timing issues will be in the HTTP transfers back and forth over the network/internet, and database access/queries (and even that can be kept pretty lean if everything is designed optimally and the data being requested is not humongous). Adding a few validation rules would really be one of my least concerns when it comes to PHP script performance.

2.) Other than set choices in a list (e.g. drop-downs, list-boxes, radio-buttons, etc), is there any way to make data validation any easier for PHP?)

There are [man]filter[/man] functions, [man]ctype[/man] functions, [man]PCRE[/man] regexp functions, and a whole slew of string functions. You also need to be aware of issues with data that will be used in database queries (see [man]mysql_real_escape_string/man, for instance).

3.) On the client, is there any other way to legitimately valid data other than JavaScript?

There may be other ways in certain situations, such as if you use a Flash or Java applet, but regardless of what type of client-side validation you do, in the end the browser sends a HTTP request with the form data to your server-side script. Any hackers worth the name can easily spoof that request and send whatever POST/GET data they want to the form action's URL. Shoot, even I could do that. 😉

amy_damnit

NogDog,

Thanks for the reply.

Again, I am impressed with your "security awareness" and prowess!! (It's good to see someone thinking so much from a security standpoint and not just a coding standpoint.)

Okay, as I continue to learn, I'll pay extra attention to how my server-side handles data coming in, and be extra careful of data validation.

Geesh, so much to learn!!!

Thanks always,

Amy
🙂

djjjozsi

Hello,
you can cheat a little bit 😃
if you start learning the AJAX, you will find that you just need to validate the data in server side, the responses then show the visitor on client side that "something is wrong, or a data has been used (email address/username ect...).

hello, jjozsi.

NogDog

To learn more about security issues, I always recommend starting with Essential PHP Security by Chris Shiflett.

amy_damnit

djjjozsi;10914332 wrote:
Hello,
you can cheat a little bit 😃
if you start learning the AJAX, you will find that you just need to validate the data in server side, the responses then show the visitor on client side that "something is wrong, or a data has been used (email address/username ect...).

hello, jjozsi.

Yah, I'm definitely interested in learning AJAX after I get the basics down!

Amy

amy_damnit

NogDog;10914336 wrote:
To learn more about security issues, I always recommend starting with Essential PHP Security by Chris Shiflett.

Thanks for the link. I will definitely buy and read that book after I get the basics down.

In this day and age, it seems like security should be at the forefront of every programmer's mind!!

UGHH!!! Sooooo many good books to read and so little time?! :queasy:

Amy