Very basic form validation question

gsamson

Hi,

I've just started exploring php as a means of delivering some of our currently in-use paper-and-pencil questionnaires to a wider audience. I've scoured the archives but cannot find a decent guide to form validation. It may be that I'm thinking about validation issues in completely the wrong way or it may be such a straightforward issue that it just doesn't warrant discussion.

Anyway, I have a multipage form that respondents have to complete with the action part of the FORM tag taking them through the pages that make up the questionnaire, the input variables following along in HTTP_POST_VARS.

I'd like each page to validate its own input before moving on to the next page and this is where I need to find out what it is that others do and whether there's pretty much a standard way of doing this.

Is it common practice for pages to self-validate in multipage forms or is it preferable to pair each page with a separate validator?

If I were to use $PHP_SELF in the action part of the FORM tag while the data input are still invalid, what is the best way of moving on to the next page without having to hit the SUBMIT button twice (i.e. once to have the server validate the data and replace $PHP_SELF with the new URL and then once again to initiate the transition to the new page). Would the header() function be of any use in this situation instead of modifying the value of $action. Here's something I've seen elsewhere but it does require the "double submission" I've mentioned:

$action = "$PHP_SELF"
if ($formstatus == "validate") {
check form vars for errors
}
if (!$errors_found){
$action = "nextpage.php"
}else{
redraw page with errors marked
}

Any help, pointers to existing code, hints, etc. would be very much appreciated.

Gary Samson
Department of Psychology
University of Kent at Canterbury

maxpup979

Well, depending on your audience, you may want to look into using javascript for your validation....it would look something like:
<head>
<script language = javascript>
function validate(form){
if(form.somefield.value==""){
alert('please enter a value for somefield');
form.somefield.focus();
return false;

}
return true;
}

</head>
.
.
<input type = submit name = submit onClick="javascript: return validate(formname);">

I have found that in most cases JS works well. However, if this will not suit your needs, you can do the PHP validation, using either $PHP_Self, and a redirect, or an intermediate page that does the validation. This is quite a bit more complex, and confusing the first time around...at least I think so. Anyway, here is a basic idea of the structure you could use. There may be better ways to do this though....
$mistake=0;
if($sentinal=="page1questions"){
if($somefield ==""){
mistake=1;
}
if($mistake!=0){
print error messages here
}else{
write answers to DB, or append to URL, or whatever you want to do, and redirect to next page
}
}

Hope this helps--if you need more explicit info, just post again...🙂

Darren

kparker

IMO, javascript for validation is a fine adjunct to php, but it can never substitute for it since the user can always turn javascript off. Thus, I would advise you to concentrate on the php validation first.

I generally prefer to have the form-creation and the validation in the same file. That way, you can have a top-level outline that looks like this:

... // define functions for creating and validating the form here

if ($REQUEST_METHOD == 'POST')
   {
   if (validate_form(...))
      {
      // do whatever comes next: save data,
      // use location header to go to another
      // page, or even issue another form
      // right from the same php file
      }
   else
      {
      display_form('error message here');
      }
   }
else
   {
   display_form(''); // i.e. null error message
   }

Anon

i use both, just because i'm really anal about making sure users input data -- and if they have javascript turned on, it saves them headaches of clicking back and filling information again.

here is my user creation check, in the actual .html portion (javascript)

disclaimer: this could be written a lot better, but i threw it together in a couple minutes for someone
<pre>
<SCRIPT LANGUAGE="javascript">
<!-- hide
function passCheck(){

    if (document.forms.join.username.value.length==0){
            alert("You must enter an username.")
            return false;}
            if (document.forms.join.password.value.length==0){
            alert("You must enter a password.")
            return false;}
            if (document.forms.join.password.value.length!=document.forms.join.password2.value.length){
            alert("Your passwords do not match.")
            return false;}
            if (document.forms.join.email.value.length==0){
            alert("You must enter an email.")
            return false;}
            if (document.forms.join.real_name.value.length==0){
            alert("You must enter a real name.")
            return false;}
            if (document.forms.join.password.value.length<4){
            alert("Your password must be at least four characters.")
            return false;}
            if (document.forms.join.password.value.length>8){
            alert("Your password can not be more than 8 characters.")
            return false;}
            if (document.forms.join.b1.value.length==0){
            alert("You must enter your birthdate.")
            return false;}
            if (document.forms.join.b1.value > 12){
            alert("You must enter a month 1-12.")
            return false;}
            if (document.forms.join.b2.value > 31){
            alert("You must enter a date 1-31")
            return false;}
                            if (document.forms.join.b2.value.length==0){
            alert("You must enter your birthdate.")
            return false;}
            if (document.forms.join.b3.value.length==0){
            alert("You must enter your birthdate.")
            return false;}
            if (document.forms.join.secret_answer_1.value.length==0){
            alert("You must enter an answer to the secret question.")
            return false;}
            if (document.forms.join.secret_answer_2.value.length==0){
            alert("You must enter an answer to the secret question.")
            return false;}
            if (document.forms.join.address_line_1.value.length==0){
            alert("You must enter at the minimum one shipping line.")
            return false;}
            if (document.forms.join.city.value.length==0){
            alert("You must enter a city.")
            return false;}
            if (document.forms.join.state.value.length==0){
            alert("You must enter a state.")
            return false;}
            if (document.forms.join.zipcode.value.length==0){
            alert("You must enter a zipcode.")
            return false;}
    // if it makes it here, it will return true.
  return true;
  }

// unhide -->
</SCRIPT>

</pre>

okay.. and then in my join.php, here are a few of the checks i make:

<pre>

if ( ($username != "") && ($password != "") && ($email != "") ) {

     $flag = 1; // this is a flag to make sure we don't have any errors from input
     $feedback = "\n";
     $real_name = stripslashes($HTTP_POST_VARS['real_name']);
     // concatenate birthdate fields
     $birthdate = '19';
     $birthdate .= $HTTP_POST_VARS['b3'];
     $birthdate .= '-';
     $birthdate .= $HTTP_POST_VARS['b1'];
     $birthdate .= '-';
     $birthdate .= $HTTP_POST_VARS['b2'];
     $username = stripslashes($HTTP_POST_VARS['username']);
     $secret_answer_1 = stripslashes($HTTP_POST_VARS['secret_answer_1']);
     $secret_answer_2 = stripslashes($HTTP_POST_VARS['secret_answer_2']);
     // match username versus database to see if we get a match
     $sql = "select username from {$DB_CONF['table_account']} where username='$username'";
     $sql_result = mysql_query($sql) or die ("Couldn't execute query. (message_database()) ".mysql_error());
            while ($row = mysql_fetch_array($sql_result)) {
                    $username_test = $row['username'];
            }
     if ( $username_test == $username ) { // okay someone already has that username..
     $errormsg .= "Someone already has chosen $username.. please select another username.\n";
     $flag = 0;
     }
    // no spaces in username
    if (strrpos($username,' ') > 0) {
    $errormsg .= "There cannot be any spaces in the login name.\n";
    $flag = 0;
    }
    // illegal names
    if (eregi("^((root)|(bin)|(daemon)|(adm)|(lp)|(sync)|(shutdown)|(halt)|(mail)|(news)"
            . "|(uucp)|(operator)|(games)|(mysql)|(httpd)|(nobody)|(dummy)"
            . "|(www)|(cvs)|(shell)|(ftp)|(irc)|(debian)|(ns)|(download))$",$username)) {
    $errormsg .= "Illegal username.\n";
    $flag = 0;
    }
    if (eregi("^(anoncvs_)",$username)) { // check for CVS in username
    $errormsg .= "Name is reserved for CVS.\n";
    $flag = 0;
    }
  // validate email
  if( !ereg( "^([0-9,a-z,A-Z]+)([.,_]([0-9,a-z,A-Z]+))*[@]([0-9,a-z,A-Z]+)([.,_\,-]([0-9,a-z,A-Z]+))*[.]([0-9,a-z,A-Z]){2}([0-9,a-z,A-Z])?$", $email ) ) {
  // email didn't pass check, redirect.
  $errormsg .= "Your email address is <b>not valid</b> ..please enter a valid email address.\n";
  $flag = 0;
  }

  if (!$flag) { // okay we have an error somewhere.. let's inform the user of it
  echo "

  <head>
  <title>Error in Input</title>
  </head>

  <body>
  <h1>There was an error in your input</h1>
  error message:<p>
  <pre>
  <p align=left>$errormsg</p>
  </pre>
  <h3>Please click back on your browser and try to correct the errors.</h3>
  </body>

  ";

  }

else if ($flag) { // this means user has inputted correct values.. inserting into database

// code goes here to insert user into database, file, etc..

</pre>

hope this could help someone ;o)

kparker

it saves them headaches of clicking back and filling information again

A properly-designed PHP validation doesn't suffer from either of these defects.

(1) If the validation doesn't pass, the form is redisplayed--no clicking back needed.

(2) The existing data (except, perhaps, passwords) is used to initialize all the fields--no retyping needed, except for the missing/incorrect fields.

Your JS example looks helpful, too, and it's quite a bit faster for the user than submitting the form and having it bounced back, of course. One additional touch would be to have it set focus on the field with the problem.

gsamson

Thanks, guys, your suggestions have helped enormously! I want to keep the entire project in php rather than dip in to javascript just now simply because of the possibly of scripting being disabled.

One alteration I seem to need to make to my code is in the way it passes data from one page to another. Previously I was using HTTP_POST_VARS to ship variables from page to page. Using header() doesn't permit this carry forward so I've changed to using sessions to register and preserve the data I need between page calls. I guess a small mysql database is ultimately the way to go.

Thanks again.

Gary

BTW I realise I posted my original question to the wrong forum. Shall stick to 'Coding help' in future.