DEV Community 👩‍💻👨‍💻

Cover image for How To Validate Your Forms Server-Side With PHP
Simon Ugorji
Simon Ugorji

Posted on

How To Validate Your Forms Server-Side With PHP

Form validation is very important while building a project that requires users to submit data through forms.

By validating your form, you implement a security measure that prevents unwanted/malformed data from being stored in your database.

Recently, I built a Library that helps to validate your server-side forms with PHP, and I will show you how you can use it on your project.

DEMO FILE

I will work with a demo PHP file that submits the form post data to itself.

Here's my demo file

<html>
<html>

<body>
    <form id="form_demo" method="post" novalidate>
        <label>Username</label><br>
        <input name="username" type="text" id="inp_uname"> <br>
        <label>Email</label><br>
        <input name="email" type="email" id="inp_email"> <br>
        <label>Age</label><br>
        <input name="age" type="number" id="inp_age"> <br>
        <label>Password</label><br>
        <input name="password" type="password" id="inp_pass"> <br><br>
        <button type="submit">Run Test</button>
    </form>
</body>

</html>
Enter fullscreen mode Exit fullscreen mode

This is what the form looks like

image.png

IMPORTING THE LIBRARY

We have to download and import the validation library to our project in order to begin validation on the form.

Visit the GitHub repository and download the library

GitHub logo Octagon-simon / octaValidate-PHP

This PHP Library helps to validate your forms using regular expressions & validation rules.

octaValidate-PHP V1.2

This is a feature-rich Library that helps to validate your forms server-side using sophisticated regular expressions, PHP's inbuilt validation, and validation rules.

We have included a demo folder containing some forms with validation rules applied to each of them. Open any of the files in your local server and submit the form.

This Library also helps to validate your frontend forms using JavaScript. Visit the repository

DOCUMENTATION

Visit the DOCUMENTATION to learn more about this GREAT Library, and play with the forms there!

INSTALL

COMPOSER

$ composer require simon-ugorji/octavalidate-php

LOCAL

  • Download and import the latest release to your project.
  • In your project, use the require keyword & include the file Validate.php
  • Now with the use keyword, link the class to your project and create a new instance of the class by passing in the form id as the first argument and any configuration as the second argument.
Enter fullscreen mode Exit fullscreen mode

After downloading the library, this is how I will import the library to the project

//include the validation file
require 'octaValidate-php/src/Validate.php';
use Validate\octaValidate;
//create new instance of the class
$DemoForm = new octaValidate('form_demo');
Enter fullscreen mode Exit fullscreen mode

Now we are ready to begin validation on the form.

DEFINING VALIDATION RULES

In order to begin validation, we need to;

  • Define validation rules for the form.
  • Invoke the validate method and pass in the rules as an argument

On this page, you will see a list of inbuilt validation rules, that can be used on your forms.

Defining validation rules using their rule titles follow the syntax below;

//syntax for defining validation rules
$valRules = array(
  "FORM_INPUT_NAME" => array(
    ["RULE_TITLE", "CUSTOM_ERROR_MESSAGE"]
  )
);
Enter fullscreen mode Exit fullscreen mode

So for the form inputs above, I wish to define these validation rules

  • Username - R (required)
  • Email - R (required), EMAIL (Checks if the value is a valid email address)
  • Age - R (required), DIGITS (Checks if the value is a valid digit)
  • Password - R (required)

This is how I will define the rules

//define validation rules
$valRules = array(
    "username" => array(
        ["R", "Your username is required"]
    ),
    "email" => array(
        ["R", "Your Email is required"],
        ["EMAIL", "Your Email is invalid"]
    ),
    "age" => array(
        ["R", "Your Age is required"],
        ["DIGITS", "Your Age must be in digits"]
    ),
    "password" => array(
        ["R", "Your Password is required"]
    )
);
Enter fullscreen mode Exit fullscreen mode

INVOKING THE VALIDATE METHOD

Now that we have defined the rules, we need to invoke the validate method and pass in the rules as an argument to this method.

The validate method returns boolean

  • true means there are no validation errors

If there are no validation errors, we are free to process the form data and probably store the data in a database

  • false means there are validation errors

If there are validation errors, we need to return the errors back to the user by invoking the getErrors() method.

While returning the errors back to the user, you need to have a JavaScript function that will append the errors into the form since it is a server-side library. Luckily for us, the library comes with a helper script that is available in /frontend/helper.js.

The helper script contains 2 functions which are;

  • showErrors(errorObject)

Pass in the error object to this function for the function to append the errors into the form.

  • removeErrors(formId)

Pass in a form ID to this function for the function to remove any errors present within the form.

You don't need to call the removeErrors() function if your form is submitted to the page itself or to another PHP script, because the page will reload on every submit. However, it is necessary that you call the function if you're using Ajax to process form submission.

Locate this script and include the functions there in your project.

So this is how I will handle the result of the validate method

//begin validation
if ($DemoForm->validate($valRules) === true){
    //process form data here
}else{
    //retrieve & display errors
    print('<script>
        window.addEventListener(\'load\', function(){
            showErrors(' . $DemoForm->getErrors() . ');
        })
    </script>');
}
Enter fullscreen mode Exit fullscreen mode

Here's the full code of the demo page

<?php
//require library
require 'octaValidate-php/src/Validate.php';
use Validate\octaValidate;
//create new instance of the class
$DemoForm = new octaValidate('form_demo');

//define validation rules
$valRules = array(
    "username" => array(
        ["R", "Your username is required"]
    ),
    "email" => array(
        ["R", "Your Email is required"],
        ["EMAIL", "Your Email is invalid"]
    ),
    "age" => array(
        ["R", "Your Age is required"],
        ["DIGITS", "Your Age must be in digits"]
    ),
    "password" => array(
        ["R", "Your Password is required"]
    )
);

if ($_POST) {
    //begin validation    
    if ($DemoForm->validate($valRules) === true) {
        //process form data here
        print('<script> alert("NO VALIDATION ERROR") </script>');    }
    else {
        //retrieve & display errors
        print('<script>
            window.addEventListener(\'load\', function(){
                showErrors(' . $DemoForm->getErrors() . ');
            })
        </script>');    
    }
}
?>
<html>
<html>

<body>
    <form id="form_demo" method="post" novalidate>
        <label>Username</label><br>
        <input name="username" type="text" id="inp_uname" value="<?php ($_POST && $_POST['username']) ? print($_POST['username']) : '' ?>"> <br>
        <label>Email</label><br>
        <input name="email" type="email" id="inp_email" value="<?php ($_POST && $_POST['email']) ? print($_POST['email']) : '' ?>"> <br>
        <label>Age</label><br>
        <input name="age" type="number" id="inp_age" value="<?php ($_POST && $_POST['age']) ? print($_POST['age']) : '' ?>"> <br>
        <label>Password</label><br>
        <input name="password" type="password" id="inp_pass" value="<?php ($_POST && $_POST['password']) ? print($_POST['password']) : '' ?>"> <br><br>
        <button type="submit">Run Test</button>
    </form>
    <script src="octaValidate-php/frontend/helper.js"></script>
</body>

</html>
Enter fullscreen mode Exit fullscreen mode

Let us submit the form and check if all is working as expected, shall we? 🙂

I hit the submit button and this is what I see

image.png

That is for the required rule which checks if values are submitted. Now let us enter random values for the inputs and hit the submit button again.

This is what I see

image.png

That is for the email rule which checks if a valid email was submitted.

Now, we have covered the basics. Let us define custom rules that will handle validations for username and password.

DEFINING CUSTOM RULES

Aside from the inbuilt validation rules, you have the power to define custom rules and the rules will be processed as if they were inbuilt rules.

To define a custom rule, you need;

  • The Rule Title
  • The Regular Expression
  • The Error message

If you have these 3 things, then you are set to define custom rules for your form.

These are the 2 methods that can be used to define custom rules;

  • customRule()
  • moreCustomRules()

I will use the second method because it allows us to define multiple rules.

For the sake of this article, I will define simple rules that will allow the user to enter "simon" for the username field & "12345" for the password field.

//custom rules
$customRules = array(
    "UNAME" => ['/simon/', "You must enter simon"],
    "PASS" => ['/12345', "You must enter 12345"]
);
//build the rules
$DemoForm->moreCustomRules($customRules);
Enter fullscreen mode Exit fullscreen mode

Now let us place the code just before we define validation rules for the form, then provide only the rule title to the form input's validation rules.

//custom rules
$customRules = array(
    "UNAME" => ['/simon/', "You must enter simon"],
    "PASS" => ['/12345/', "You must enter 12345"]
);
//build the rules
$DemoForm->moreCustomRules($customRules);

//redefine validation rules
$valRules = array(
    "username" => array(
        ["R", "Your username is required"],
        ["UNAME"]
    ),
    "email" => array(
        ["R", "Your Email is required"],
        ["EMAIL", "Your Email is invalid"]
    ),
    "age" => array(
        ["R", "Your Age is required"],
        ["DIGITS", "Your Age must be in digits"]
    ),
    "password" => array(
        ["R", "Your Password is required"],
        ["PASS"]
    )
);

Enter fullscreen mode Exit fullscreen mode

Now let us submit the form again with random values.

image.png

From the image above, you can see that the error message that we defined alongside the rule, worked as expected.

ATTRIBUTE VALIDATION

For my last validation, I will show you how you can perform attributes validation.

Attributes validation can be used to validate; length, minlength, maxlength, size, minsize, maxsize, equalto, files, minfiles, maxfiles.

I will use the length validation on the Age form input because we want the user to provide just 2 digits.

All attributes validation follows the syntax below

//syntax
$valRules = array(
  "FORM_INPUT_NAME" => array(
    ["ATTRIBUTE_TITLE", "VALUE", "CUSTOM_ERROR_MESSAGE"]
  )
);
Enter fullscreen mode Exit fullscreen mode

So to add the length validation to the form's age validation rules, I will do something like this;

$valRules = array(
    "age" => array(
        ["LENGTH", "2", "Your age must be 2 digits"]
    )
);
Enter fullscreen mode Exit fullscreen mode

Here are the full validation rules for the demo page

//define validation rules
$valRules = array(
    "username" => array(
        ["R", "Your username is required"],
        ["UNAME"]
    ),
    "email" => array(
        ["R", "Your Email is required"],
        ["EMAIL", "Your Email is invalid"]
    ),
    "age" => array(
        ["R", "Your Age is required"],
        ["DIGITS", "Your Age must be in digits"],
        ["LENGTH", "2", "Your age must be 2 digits"]
    ),
    "password" => array(
        ["R", "Your Password is required"],
        ["PASS"]
    )
);
Enter fullscreen mode Exit fullscreen mode

So let us enter random values and hit the submit button

image.png

You can see an error message telling us that our age must be 2 digits. Let us provide correct values for all form inputs and submit the form again.

image.png

No validation error! So the library works perfectly 😎

DOCUMENTATION

There are more validations on the documentation page. Please visit the documentation below to learn more about this Library

octavalidate-PHP | Getting Started

octavalidate-PHP: This PHP Library helps to validate your forms server-side using validation rules, PHP's inbuilt validation, and sophisticated regular expressions.

favicon octagon-simon.github.io

EXTRA

Do you want to use this library for front-end form validation? Visit the documentation below to learn how you can easily set up front-end validations on your form using octaValidate-JS.

octavalidate | Getting Started

octaValidate: This JavaScript Library helps to validate your HTML forms using validation rules, sophisticated regular expressions and form input attributes

favicon octagon-simon.github.io

Do you want to use this library for both front-end & back-end form validation? Visit the documentation page below to see how smooth front-end & back-end validation is.

octavalidate-PHP | FRONTEND & BACKEND VALIDATION

octavalidate-PHP: Check out how we used both frontend & backend validation on this form

favicon octagon-simon.github.io

Image credit: Ben Griffiths on Unsplash

That would be all for now,

Thank you.

Top comments (6)

Collapse
frankwisniewski profile image
Frank Wisniewski

it is important to first secure forms on the client side using input types and to check them using form.validate.
I also check the field values on the server side, but I don't issue any error messages, instead I stop processing immediately.
One can assume that faulty data is passed through manipulation. Then why should you care.

Collapse
ugorji_simon profile image
Simon Ugorji Author

Nice implementation, Frank.

But I still feel that the end user needs to know what's wrong with the value he submitted.

Collapse
frankwisniewski profile image
Frank Wisniewski

yes, only for user/pass validation with a simple ajax request.

I don't believe in constantly sending complete forms back and forth, that was OK in the noscript days, not anymore.
PHP should return data, nothing else. Processing should be client-side.

Thread Thread
ugorji_simon profile image
Simon Ugorji Author

Great Frank!

This library also has a client side implementation which is slightly impossible to break through because it handles frontend forms validation pretty well.

GitHub logo Octagon-simon / octaValidate

This Library helps to validate your HTML forms using validation rules, sophisticated regular expressions and form input attributes.

octaValidate V1.2.0

This library helps to validate your HTML forms using validation rules, sophisticated regular expressions and form input attributes.

We have included a demo.html file which you can open to see how this library really works.

We have developed this Library to work server-side on PHP language and as such, you can validate your forms server-side using this Library for PHP. Visit the repository

DOCUMENTATION

Visit the DOCUMENTATION to learn more about this GREAT Library!

INSTALL

CDN

Place this script before the </head> tag.

<script src="https://unpkg.com/octavalidate@1.2.0/native/validate.js"></script>
Enter fullscreen mode Exit fullscreen mode

NPM

Visit this Link to the Documentation to learn how to install this Library with NPM.

LOCAL

  • Download and import the latest release to your project.
  • In your project, create a script tag and link the file validate.js.
  • Place the script before the </head> tag.
<script src="octaValidate/src/validate.js"></script
Enter fullscreen mode Exit fullscreen mode

Thank you once again for engaging 🌟

Collapse
darkain profile image
Vincent Milum Jr

PHP has a lot of this functionality already built in, and battle tested. For instance, you should -never- use regular expressions to validate an email address, they'll virtually always fail.

For example, this is the ACTUAL regular expression to validate MOST of the email address spec, and yet, this STILL doesn't cover all of it: ex-parrot.com/~pdw/Mail-RFC822-Add...

Instead, PHP has built in functions to handle this, and to handle validating lots of other common data types too: php.net/manual/en/filter.examples....

Collapse
ugorji_simon profile image
Simon Ugorji Author • Edited on

I'm fully with you on this.

I didn't know about the email regular expression virtually failing

I guess I learnt something new today, thank you.

I will equally update the library to use more of PHP's inbuilt validation on the form inputs.

Besides that, the validation library that I shared, helps to validate file types, file MIME types, file sizes, input lengths and provides custom regular expressions support that the user can use to validate credit card numbers, house addresses, name it...

I will heed to your advice and update the library on not to use regular expressions for email validation and to use more of PHP's inbuilt validation.

Thank you for engaging 🌟

🌚 Life is too short to browse without dark mode