Validating the simpler form inputs?

gwerner

This is yet another form validation question. I'm in the process of going back over how I handle form validation. There doesn't seem to an overwhelming consensus on how best to handle the simpler fields. I can find tons on how to validate email addresses.

I've always used preg_match to check for allowable characters, lengths and patterns. One of my forms is simply to gather basic user info, name, address, city, etc. When it comes to things like zip codes and phone numbers, it's pretty straight forward. Only allow numbers for zips. And, only numbers, spaces and dashes for phone numbers (and maybe parentheses).

Should I be using preg_match for things like first name, last name, street address? These fields seem to be the ones that will be impossible to plan for every weird spelling or formatting. Is it better to just check for string length, existence (if required) and send it to the database via mysql_real_escape_string? I've always been hesitant and have followed it's better safe than sorry when handling user input. But, I might have it all wrong? Any ideas, or help?

Names

preg_match("/^[A-Za-z0-9-_\s]{3,30}$/", $string)

Address

preg_match("/^[A-Za-z0-9-_.#\s]{0,80}$/", $string)

City

preg_match("/^[A-Za-z0-9\s]{4,32}$/", $string)

dagon

name, address i would allow anything, let the user format it as is appropriate for them, forcing them to some standard is really annoying, especially if you don't happen to be an American with an Anglo-Saxon name (most of the worlds population).

Be careful with phone numbers some countries may use only 4 digits (dont know of less, but it may be possible) text in a phone is not unreasonable for some (ext.123; for example)

Zip\post codes not all countries use them, some will have letters, length varies.

NogDog

I generally assume a user can spell his/her name or address correctly, and while it would be nice to have some amazing AI that could detect typos and other errors, that's probably an unreasonable expectation for most web apps. I would rather just filter out blatantly "bad" characters such as nulls, newlines/carriage-returns in non text area fields, etc., but not arbitrarily limit what letters/characters can be used and risk a potential customer leaving in frustration because he cannot enter what he knows is right.

gwerner

I agree with both of you that from a user experience it's better to allow more than less. So, in your opinion is it safe to go about it like so? Check if fields have been set, are empty, length and data type (string vs numeric). And, once it passes insert into database via mysql_real_escape_string. I'm also planning to use (int) on entries that should be numeric only.

I read on another post this seems to be acceptable and when retrieving and displaying the data use htmlspecialchars and/or nl2br.