thoughts on my form validation functions

mbaldwin577

Okay, I would like some thoughts on my form validation functions. I am not really new at php, but I feel I am not all that good at it either. I feel I am stuck, and I want to expand and get better at it.

I hope the formatting of the code is fine. I am blind, so I do not normally do all that tabbing and stuff to try to keep stuff aligned.

<?php

//strip tags and white spaces from arrays like $_POST
  function CleanArray($array) {
  foreach ($array as $key => $value) {
    $array[$key] = strip_tags(trim(rtrim($value)));
  }
  return $var;
}

//adds the html div tags and the class to the error messages for outputting to the screen, and set general error message.

  function DivErrors($array) {
    foreach ($array as $key => $value) {
    $array[$key] = '<div class="formError">'.$value.'</div>';
    }
  $array['message']='<div class="errormsg">Sorry, errors were detected, please fix the errors noted and resubmit the form.</div>';
  return $array;
}

//checks each input for proper length and characters based on their type.

  function CheckVar($input, $type) {
  $pattern='';
    switch ($type) {

//names, like first name, last name, business name, job title, etc..
case 'name':
$pattern='/^[A-Z][A-Za-z\s\'_-]{2,55}+$/';
break;

//street addresses
case 'address':
$pattern='/^[A-Za-z0-9\s.,_-]{2,55}+$/';
break;

//city, state, country, postal code
case 'location':
$pattern='/^[A-Za-z0-9\s._-]{2,55}+$/';
break;

//phone number xxx-xxx-xxxx
case 'phone':
$pattern='/^\d{3}-\d{3}-\d{4}?$/';
break;

//password check, allows more characters to encourage stronger passwords.
case 'password':
$pattern='/^[A-Za-z0-9\'!@#$%^&*()=+,._-]{6,25}+$/';
break;
}

  //checks if the type is for email and validates it using the php filt_var
    if($type == 'email') {
      if(!filter_var($input, FILTER_VALIDATE_EMAIL)) {
      return false;
      }
      else {
      return true;
      }
    }
    else {

  //check the other types that are not email.
      if(!preg_match($pattern, $input)) {
      return false;
      }
      else {
      return true;
      }
    }
}


//creats a random string for email verification codes and temp passwords.
  function RandString($length) {
  $string='';
    for ($x = 1; $x <= $length; $x++) {
      switch (rand(1, 3)) {
      //  Add a random digit, 0-9
      case 1:
      $string .= rand(0, 9);
      break;
      //  Add a random upper-case letter
      case 2:
      $string .= chr(rand(65, 90));
      break;
      //  Add a random lower-case letter
      case 3:
      $string  .= chr(rand(97, 122));
      break;
      }
    }
  return $string;
}

Thanks,
Michael

laserlight

It seems to me that instead of this:

//strip tags and white spaces from arrays like $_POST
function CleanArray($array) {
    foreach ($array as $key => $value) {
        $array[$key] = strip_tags(trim(rtrim($value)));
    }
    return $var;
}

You intended to write:

//strip tags and white spaces from arrays like $_POST
function CleanArray($array) {
    foreach ($array as $key => $value) {
        $array[$key] = strip_tags(trim($value));
    }
    return $array;
}

However, unless you really need to strip tags, I suggest that you don't as it is a rather destructive operation. If you want to print the values as HTML, then htmlspecialchars or htmlentities would usually be better.

Also, instead of:

if(!filter_var($input, FILTER_VALIDATE_EMAIL)) {
    return false;
}
else {
    return true;
}

It would be simpler to write:

return filter_var($input, FILTER_VALIDATE_EMAIL) !== false;

mbaldwin577

Thanks for your thoughts.

yeah, I guess I probably do not need the rtrim() in the CleanArray function. I think I put it in there a long time ago, cause for some reason trim wasn't removing all the white space from form inputs.

None of the inputs need html tags or anything in them, so that is why I chose strip_tags(), but I will look in to the other functions,htmlspecialchars() and htmlentities().

that is a nice way of shortening the code, it does look better. I am confused about the !== though, but I haven't picked up on when to use like == or ===, I guess I haven't got my head wrapped around the difference.

I might research a way to have the function do even more for me. It didn't really save lines of code in my file. I still use code like

if(!CheckVar($var['first_name'], 'name')) {
$error['first_name']='Please enter a valid First name.';
$error_count=1;
}

each input has it's own error message, so i can put the message by the field instead of all of them at the top. I also have them in an array, so right before I load the form again to show the errors, I loop through all the array values and add the div and class html stuff to them. maybe that is extra processing for really nothing, but then it makes it easier to change if need be. Only need to do it in one place instead of for 15 different fields.

Anyways, that is getting away from the original form validation functions.
Think what I have will block most bad stuff? I'll add the mysqli_real_escape_string() before adding the info into the database.

Thanks,
Michael

Derokorian

// Following comparison fails, because === is a strict comparison, which means it compares both the value and type
// the first part is a string with a character representing a zero, while the second is an integer with value zero
if( "0" === 0 ) {
   echo "Same type with same value";
} else {
   echo "not same type, or same type different values";
}

// This comparison succeeds because even though one is a string and one is an integer, == is a loose comparison so its only comparing values
if( "0" == 0 ) {
   echo "Values are equal, type is not tested";
} else {
   echo "values are not equal, type is not tested";
}

// != and !== are the opposite of == and ===, respectively
// so the following succeeds because they are different types, even though they have the same value
if( "0" !== 0 ) {
   echo "Type is not the same, or type is same and value is different";
} else {
   echo "Type and value are the same";
}

if( "0" != 0 ) {
   echo "Values are different, type not tested";
} else {
   echo "Values are the same, type not tested";
}

Read the comments, run the code and see the results and please post back if you have more questions about the difference between loose comparison (==) and strict comparison (===)

mbaldwin577

Thanks,
that makes it much easier to understand. This should be in the manual. A lot more clear then what they have.

Michael

bradgrafelman

mbaldwin577;11013041 wrote:
This should be in the manual.

You mean something like the example code snippet following this table, perhaps in conjunction with these two tables?

mbaldwin577

Still say your explaination and examples are better.
I have read that first page of the manual, but had not seen the second.

Thanks,
Michael