PHP allows a seamingless integration of form vairables into your programs. It’s flexibility and smoothness make it easy to build applications that interact with user input like drop-down lists, input fields or selections. With this convenience, however, you have to make sure that the user provided data is valid and flows easily into your code.

Working with forms includes two steps: First you have to validate your data to prevent malicious attacks. Second, escape the user input for further processing like storing it in a database or for simple output on a webpage. The first step is very important and most often neglected when creating forms. It’s important to validate input even in circumstances where most users will never encounting an error. Let’s look how the forms are structured best to achieve these goals.

Good forms

The easiest way to maintain forms is if all parts are in one file. Seperation of input fields and processing in two files is not very handy. Changes in one file usually require you to adjust the other one too, which is common source of error. It is also recommended to use the $_SERVER['SCRIPT_NAME'] global variable for form actions. Thus, changing the filename doesn’t require anymore adoptions in the sourcecode.

The context defines which section of the form should be displayed. If the file is requested via the GET method, just print out all form elements. The POST method then requires processing the data.

When working with multipage forms, use sessions to keep track of each step. With sessions, you can also store the submitted data on the server. This reduces the request overhead and you only have to validated the input once as its not re-submitted with each step.

Validate user input

Before validating user input, make sure it exists and is of correct type. isset(), is_array() and strlen() are handy tools for a strict form validation. Here are some snippets for validating some common fields:

Important for numbers is, that the data of input fields is always submitted a a string. To validate, use the ctype_digit() function. is_numeric() won’t work correctly as it also valuates hexadecimal and exponentially noted values to true. If you want to validate positive or negative numbers you can use the typecasting functions and cast the value to a number and then back to a string. intval() and floatval() both work as filters, leaving valid numbers unmodified but changing invalid numbers to their numeric essence. By comparing the result of the casting process with the original you can determine if the entered value was correct (cast the result back to a string to make sure the comparison works properly).

Part 2 covers proper usage and validation of lists and selections and inline error messages.