Hudzilla.org - the homepage of Paul Hudson
Contents > HTML Forms > Validating input Wish List | Report Bug | About Me ]

7.7.2     Server-side validation

This is NOT the latest copy of this book; click here for the latest version.

Server-side data validation means using PHP to verify that good values have been sent to the script. Using server-side validation has pretty much the exact opposite pros and cons of client-side development: it is more secure and works seamlessly with all browsers, but it does so at the cost of slightly higher server load and slower feedback for users.

One big advantage to server-side validation is that you can use PHP - a language by now you have attained some skill with. As you know, PHP has a wide variety of functions and language features to help you chop and change strings, check numbers are within ranges, and so on. Furthermore, you can use PHP to connect to a database to check whether a username exists, for example, which is simply impossible using client-side scripting.





<< 7.7.1 Client-side validation   7.7.3 Validation in practice: is_string(), is_numeric(), is_float(), is_array(),is_object(), and is_resource() >>
Table of Contents
 Want to see this stuff in print? PHP in a Nutshell takes the core topics covered here, adds in thousands of edits from the editorial team and myself, and combines them to make an unbeatable reference for PHP programmers at all levels.



My latest book has hundreds more tips on how to use PHP, Apache, and MySQL, plus Perl, Python, shell scripts, performance tuning, and more!
Top-right shadow
 
Bottom-left shadow Bottom shadow

Comments from other readers
A PHP User - 05 Dec 2008
<html>
<head>
<title>Contact Form</title>
</head>
<body>
<form action="msgform.php" method="post" name="msgform" onClick="return checkForm()">
<table width="500" border="0" align="center" cellpadding="2" cellspacing="1" class="maincell">
<tr>
<td width="106">Your Name</td>
<td width="381"><input name="sname" type="text" size="30"></td>
</tr>
<tr>
<td>Your Email</td>
<td>
<input name="email" type="text" size="30">
</td>
</tr>
<tr align="center">
<td colspan="2"><input name="submit" type="submit" value="Send Message" ></td>
</tr>
</table>
</form>
</body>
</html>


<script type="text/javascript" language="javascript">
function checkForm()
{
var iChars = "!@#$%^&*()+=-[]\\\';,./{}|\":<>?";

if (document.msgform.sname.value == "")
{
alert("Name can not be blank");
document.msgform.sname.focus();
return false;
}
else
{
for (var i = 0; i < document.msgform.sname.value.length; i++)
{
if (iChars.indexOf(document.msgform.sname.value.charAt(i)) != -1)
{
alert ("Your Name has special characters. \nThese are not allowed.\n Please remove them and try again.");
document.msgform.sname.focus();
return false;
}
}
}



if(document.msgform.email.value == "")
{
alert("Please enter your email");
document.msgform.email.focus();
return false;
}

else if(document.msgform.email.value.match (/^[\w\-\.\+]+\@[a-zA-Z0-9\.\-]+\.[a-zA-z0-9]{2,4}$/))
{
return true;
}
else
{
alert("Email address is not valid.Please enter in xyz@abc.com");
document.msgform.email.focus();
return false;
}
}



</script>


<?

if(isset($_POST['submit']))
{
$errors = array();//in case there are no errors,

if(empty($_POST['sname']))
{
$errors[0] = "Name cannot be left blank";

}
elseif(empty($_POST['email']))
{
$errors[1] = "Email cannot be left blank";
}

foreach($errors as $val) {
print "Error: ".$val;
include("contact.php");
}
if(co
<html>
<head>
<title>Contact Form</title>
</head>
<body>
<form action="msgform.php" method="post" name="msgform" onClick="return chec

A PHP User - 05 Dec 2008
<?

if(isset($_POST['submit']))
{
$errors = array();//in case there are no errors,

if(empty($_POST['sname']))
{
$errors[0] = "Name cannot be left blank";

}
elseif(empty($_POST['email']))
{
$errors[1] = "Email cannot be left blank";
}

foreach($errors as $val) {
print "Error: ".$val;
include("contact.php");
}
if(count($errors) == 0)
{
echo "Welcome ".$_POST['sname'];
}
}

?>

A PHP User - 05 Dec 2008
<html>
<head>
<title>Contact Form</title>
</head>
<body>
<form action="msgform.php" method="post" name="msgform" onClick="return checkForm()">
<table width="500" border="0" align="center" cellpadding="2" cellspacing="1" class="maincell">
<tr>
<td width="106">Your Name</td>
<td width="381"><input name="sname" type="text" size="30"></td>
</tr>
<tr>
<td>Your Email</td>
<td>
<input name="email" type="text" size="30">
</td>
</tr>
<tr align="center">
<td colspan="2"><input name="submit" type="submit" value="Send Message" ></td>
</tr>
</table>
</form>
</body>
</html>


<script type="text/javascript" language="javascript">
function checkForm()
{
var iChars = "!@#$%^&*()+=-[]\\\';,./{}|\":<>?";

if (document.msgform.sname.value == "")
{
alert("Name can not be blank");
document.msgform.sname.focus();
return false;
}
else
{
for (var i = 0; i < document.msgform.sname.value.length; i++)
{
if (iChars.indexOf(document.msgform.sname.value.charAt(i)) != -1)
{
alert ("Your Name has special characters. \nThese are not allowed.\n Please remove them and try again.");
document.msgform.sname.focus();
return false;
}
}
}



if(document.msgform.email.value == "")
{
alert("Please enter your email");
document.msgform.email.focus();
return false;
}

else if(document.msgform.email.value.match (/^[\w\-\.\+]+\@[a-zA-Z0-9\.\-]+\.[a-zA-z0-9]{2,4}$/))
{
return true;
}
else
{
alert("Email address is not valid.Please enter in xyz@abc.com");
document.msgform.email.focus();
return false;
}
}



</script>


<?

if(isset($_POST['submit']))
{
$errors = array();//in case there are no errors,

if(empty($_POST['sname']))
{
$errors[0] = "Name cannot be left blank";

}
elseif(empty($_POST['email']))
{
$errors[1] = "Email cannot be left blank";
}

foreach($errors as $val) {
print "Error: ".$val;
include("contact.php");
}
if(co

Tom - 05 Dec 2008
A good way to validate form input is using an array.
<?php
if(isset($_POST['submit'])) {
$errors = array();//in case there are no errors,
//it's still defined
if(empty($_POST['somefield'])) $errors[] = 'Somefield must have text.';
//similar validation

foreach($errors as $val) {
print'<p class="error">Error: '.$val.'</p>'."\n";
}
if(count($errors) == 0) {
//process form
}
}
?>

dho - 05 Dec 2008
An alternative is to use an ajax-based approach.



Add comment
Please note that by posting a comment here you are committing it to the public domain. This is important so that others can make use of your code themselves, and also so that I can incorporate helpful notes directly into the main text. Comments are limited to 2000 characters in length.

If you are reporting an error in the content, please tell me directly.

Your name/email address:
Your comment:
 
Now, in order to verify that you're a real person, please answer this simple question: what is five plus three?
The answer is:
(please write in
numbers, eg 19)


Top-right shadow
 
Bottom-left shadow Bottom shadow

This website and its content is copyright © Paul Hudson 2005, all rights reserved.