PHP Tutorials
PHP Introduction
PHP Install
PHP Syntax
PHP Echo/Print
PHP Comments
PHP Variables
PHP DataTypes
PHP Numbers
PHP Math
PHP Strings
PHP If..else
PHP Operators
PHP Loops
PHP Functions
PHP Forms
PHP Form Handling
PHP Form Validation
PHP Form Required
PHP Form Complete
PHP Advanced
PHP Include
PHP File Handling
PHP Cookies
PHP Sessions
PHP Filters
PHP JSON
PHP Exceptions
PHP OOP
PHP What is OOP
PHP OOP Classes/Objects
PHP Constructors
PHP Destructors
PHP Access Modifiers
PHP Interfaces
PHP Traits
PHP Iterables
Previous
PHP Form Validation
This and the following chapters show how to use PHP to verify form data.
PHP Form Validation
Think SECURITY when processing PHP forms!
These pages will show you how to process PHP forms for mental security. Proper verification of form data is essential to protect your form from hackers and spam!
The HTML form we will be working on in these chapters, contains a variety of input fields: required and optional text fields, radio buttons, and the submit button:
The verification rules for the above form are as follows:
| Field | Validation Rules |
|---|---|
| Name | Required. + Must only contain letters and whitespace |
| Required. + Must contain a valid email address (with @ and .) | |
| Website | Optional. If present, it must contain a valid URL |
| Comment | Optional. Multi-line input field (textarea) |
| Gender | Required. Must select one |
First we will look at the blank HTML code of the form:
Text Fields
Name, email, and website fields are text input, and comments are text-based. The HTML code looks like this:
Name: <input type="text" name="name">
E-mail: <input type="text" name="email">
Website: <input type="text" name="website">
Comment: <textarea name="comment" rows="5" cols="40"></textarea>
Radio Buttons
The gender fields are radio buttons and the HTML code looks like this:
Gender:
<input type="radio" name="gender"
value="female">Female
<input type="radio" name="gender" value="male">Male
<input type="radio" name="gender" value="other">Other
The Form Element
The HTML code of the form looks like this:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
When the form is submitted, the form data is sent with method = "post".
What is the $_SERVER["PHP_SELF"] variable?
$ _ SERVER ["PHP_SELF"] is a huge international variety that returns the file name of the currently signed script.
Thus, $ _ SERVER ["PHP_SELF"] sends the form data to the page itself, instead of jumping to another page. This way, the user will receive error messages on the same page as the form.
What is the htmlspecialchars() function?
The htmlspecialchars () function converts special characters into HTML entities. This means it will replace HTML characters such as
Big Note on PHP Form Security
$ _ SERVER variables ["PHP_SELF"] can be used by criminals!
When PHP_SELF is used on your page the user can enter a slash (/) and then have some Cross Site Scripting (XSS) commands to use.
Cross-site scripting (XSS) is a type of computer security vulnerability commonly found in web applications. XSS enables attackers to inject client-side text into Web pages viewed by other users.
Suppose we have the following form on the page named "test_form.php":
<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
Now, when a user enters a common URL in the address bar such as "http://www.example.com/test_form.php", the code above will translate to:
<form method="post" action="test_form.php">
So far, so good.
However, suppose the user enters the following URL in the address bar:
http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
In this case, the code above will be translated into:
<form method="post" action="test_form.php/"><script>alert('hacked')</script>
This code adds a text tag and an alert command. And when the page loads, a JavaScript code will be generated (user will see a warning box). This is just a simple and harmless example of how a PHP_SELF variable can be used.
Note that any JavaScript code can be added within the <script> tag! The hacker can redirect the user to a file on another server, and that file can capture malicious code that could change global variables or move the form to another address to save user data, for example.
How To Avoid $_SERVER["PHP_SELF"] Exploits
$ _SERVER ["PHP_SELF"] exploitation can be avoided by using the htmlspecialchars () function.
The form code should look like this:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
The htmlspecialchars () function converts special characters into HTML entities. Now if a user tries to exploit the PHP_SELF variable, it will result in the following exit:
<form method="post" action="test_form.php/"><script>alert('hacked')</script>">
The exploit attempt fails, and no damage is done!
Validate Form Data With PHP
The first thing we will do is pass all the variables with PHP's htmlspecialchars () function.
If we use the htmlspecialchars () function; and then when the user tries to move the following to the text area:
<script> location.href ('http://www.hacked.com') </script>
- this could not be done, because it will be saved as an escape HTML code, as follows:
<script> location.href ('http://www.hacked.com') </script>
The code is now safe to display on the page or within the email.
We will do two more things when the user submits the form:
- Remove unnecessary characters (extra space, tab, new line) from user input data (with PHP trim function)
- Remove backslash (\) from user input data (with PHP stripslashs () function)
The next step is to create a function that will do all the testing for us (much easier than typing the same code over and over again).
We will name the test_input () function.
Now, we can look at each $ _ POST variable with test_input () function, and the text looks like this:
Example
<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = test_input($_POST["name"]);
$email = test_input($_POST["email"]);
$website = test_input($_POST["website"]);
$comment = test_input($_POST["comment"]);
$gender = test_input($_POST["gender"]);
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
Note that at the beginning of the script, we check that the form has been submitted using $ _ SERVER ["REQUEST_METHOD"]. If REQUEST_METHOD says POST, then the form has been submitted - and must be verified. If it has not been submitted, skip verification and show blank form.
However, in the example above, all input fields are optional. The script works fine even if the user does not enter any data.
The next step is to create the required input fields and create error messages if needed.