To make our code flexible and understandable we divided the code into multiple functions:
- printForm() function displays the HTML form to the user.
- checkForm() function validates each form element using the following helper functions:
- saveFormData() function can save form data on your server.
First, we use the $_SERVER['REQUEST_METHOD']
to determine the form status. If the form is not posted we show the form with printForm()
to the user. If the form is posted, we validate the form with checkForm()
, if validation failed we show the form and errors with printForm($errors)
.
<?php // form.php if ($_SERVER['REQUEST_METHOD'] == 'POST') { $errors = checkForm($_POST); if ( empty ( $errors ) ) saveFormData($_POST); else printForm($errors); } else printForm(); function printForm ( $errors = [] ) { // Display the HTML form } function checkForm ( $form ) { // Validate form elements } function saveFormData ( $form ) { // Logic to save form data }
The saveFormData()
function is called on successful validation of the form. You can use this function to save the data in the database, file, etc.
Print form – printForm()
This form contains four text fields (see Prefilling text fields), you must enter the valid data for successful submission of the form. If the validation failed, the form shows the errors on each field where the validation failed.
<?php function printForm($errors = []) { ?> <style>form span{color:red}</style> <form method="post" action="form.php"> Username: <span>* <?= $errors['username'] ?? '' ?></span><br> <input type="text" name="username" value="<?= htmlspecialchars( $_POST['username'] ?? '') ?>"> <br><br> Password: <span>* <?= $errors['password'] ?? '' ?></span><br> <input type="password" name="password" value="<?= htmlspecialchars( $_POST['password'] ?? '') ?>"> <br><br> Email: <span>* <?= $errors['email'] ?? '' ?></span><br> <input type="text" name="email" value="<?= htmlspecialchars( $_POST['email'] ?? '') ?>"> <br><br> URL: <span><?= $errors['url'] ?? '' ?></span><br> <input type="text" name="url" value="<?= htmlspecialchars( $_POST['url'] ?? '') ?>"> <br><br> <input type="submit" name="submit" value="submit"> </form> <?php }
Note:
<?='Hello'?>
is the short form of<?php echo 'Hello'; ?>
See PHP shortcut to print or echo- The
??
(null coalescing operator) is available since PHP 7.0, alternatively, you can useisset()
function, see the following example:
<?php // Only works with PHP 7.0 or above $url = $_POST['url'] ?? ''; // For all version of PHP $url = isset($_POST['url']) ? $_POST['url'] : ''; // OR if (isset ($_POST['url']) ) { $url = $_POST['url']; } else { $url = ''; }
Validate form – checkForm()
The checkForm($_POST)
initiated form validation. The $_POST
(super global array) is an associative array of variables that contains the form data.
The checkForm()
function validates the form elements and if the validation failed it returns an associative array of error messages otherwise returns an empty array. Array keys represent the name of the form fields and values are the error message to display on the form.
<?php // ... ... ... $errors = checkForm($_POST); function checkForm($form){ $m = []; // $m = array(); #$username = isset($form['username']) ? trim($form['username']) : ''; $username = trim ( $form['username'] ?? '' ); $password = trim ( $form['password'] ?? '' ); $email = trim ( $form['email'] ?? '' ); $url = trim ( $form['url'] ?? '' ); if ( ! isValidUsername($username)) $m['username'] = 'Use alphanumeric, underscore and hyphen characters. Length must be between 4 and 10 characters'; if ( ! isValidPassword($password) ) $m['password'] = 'Must be between 6 and 32 characters. Must have at least one uppercase, one lowercase, one numeric and one symbol character.'; if ( ! isValidEmail($email) ) $m['email'] = 'Invalid email format.'; // URL is optional if ( $url != '' && (! isValidUrl($url)) ) $m['url'] = 'URL must start with http:// or https:// protocol'; return $m; }
All fields are mandatory except the URL field which is optional. An optional field will not check if it is empty. The expression $url != ""
tells PHP to validate the URL if it is not empty.
Username validation
Requirements:
- Minimum length: 4-character.
- Maximum length: 10-character.
- Allowed characters: alphanumeric (A-Z, a-z, 0-9), hyphen and underscore.
- Underscore and hyphen:
- can not be used together i.e.
-_
or_-
.
- can not be used twice at once i.e.
--
or__
. - can not be used at the beginning or end of the string (username), i.e.
-user
,_user
,user-
, oruser_
.
- can not be used together i.e.
We created a function isValidUsername()
that accepts the username as a string and checks its length and tests it with regular expression. The function returns false
if the username does not meet our requirements otherwise return true
.
<?php function isValidUsername($username) { $len = strlen($username); if ( $len < 4 || $len > 10 || preg_match('/[^a-z0-9_-]|--|__|-_|_-|^[-_]|[-_]$/i',$username) ) return false; return true; }
Explaining regex pattern:
We used preg_match function to match username with our patterns, we used seven patterns separated by |
pipe sign: (See, Regular Expressions)
[^a-z0-9_-]
matches any character other than the alphanumeric, underscore and hyphen characters--
matches double hyphen.__
matches double underscore.-_
matches hyphen followed by an underscore._-
matches underscore followed by a hyphen.^[-_]
matches if the string starts with a hyphen or underscore.[-_]$
matches if the string ends with a hyphen or underscore.
Password validation
Requirements:
- Minimum length: 6-character.
- Maximum length: 32-character.
- Password must have at least:
- one uppercase character
- once lowercase character
- one numeric character
- one symbol character, i.e. !, #, @, etc.
To validate the password, we created isValidPassword()
function that accepts the password as a string and checks its length and tests it with regular expression. The function returns false if the password does not meet our requirements otherwise return true
.
<?php function isValidPassword($password) { $len = strlen($password); $qt = preg_quote('`~!@#$%^&*()_-=+\|[]{}/?.<>,\'";:','/'); if ( $len < 6 || $len > 32 || !preg_match('/(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*['.$qt.'])/', $password)) return false; return true; }
Explaining password validation function:
- The
strlen
function counts the number of characters in the string. - The
preg_quote
function quotes regex special characters: . \ + * ? [ ^ ] $ ( ) { } = ! < > | : – #. - The
preg_match
function matches the password with the given pattern using lookahead expressions:(?=.*[A-Z])
matches an uppercase character(?=.*[a-z])
matches a lowercase character(?=.*[0-9])
matches a numeric character(?=.*['.$qt.'])
matches a special character (quoted with preg_quote)
Email validation
The PHP’s filter_var
function has a FILTER_VALIDATE_EMAIL
property that returns false
if the email entered is not in the proper format. In the following code, we created a function isValidEmail()
that used this property to validate the given email:
<?php function isValidEmail($email) { if (filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE) return false; return true; }
For details visit: Validating email with filter_var() and checkdnsrr().
Url validation
The PHP’s filter_var
function has a FILTER_VALIDATE_URL
property that returns false
if the URL entered is not in the proper format. In the following code, we created a function isValidUrl()
that used this property to validate the given URL:
<?php function isValidUrl($url) { if (filter_var($url, FILTER_VALIDATE_URL) === FALSE || !str_starts_with($url, 'http') ) return false; return true; }
Saving form data – saveFormData()
After completing the validation it’s time to further process the data for saving it into the database or a file or send it to an email address, all these tasks will be discussed later in subsequent tutorials. For now, we just display a message to the user to indicate that form validation has been passed.
<?php function saveFormData() { echo '<h1>Form Submitted</h1>'; }
Complete Form Validation Script:
<?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { $errors = checkForm($_POST); if ( empty ( $errors ) ) saveFormData($_POST); else printForm($errors); } else { printForm(); } function printForm($errors = []) { ?> <style>form span{color:red}</style> <form method="post" action="form.php"> Username: <span>* <?= $errors['username'] ?? '' ?></span><br> <input type="text" name="username" value="<?= htmlspecialchars( $_POST['username'] ?? '') ?>"> <br><br> Password: <span>* <?= $errors['password'] ?? '' ?></span><br> <input type="password" name="password" value="<?= htmlspecialchars( $_POST['password'] ?? '') ?>"> <br><br> Email: <span>* <?= $errors['email'] ?? '' ?></span><br> <input type="text" name="email" value="<?= htmlspecialchars( $_POST['email'] ?? '') ?>"> <br><br> URL: <span><?= $errors['url'] ?? '' ?></span><br> <input type="text" name="url" value="<?= htmlspecialchars( $_POST['url'] ?? '') ?>"> <br><br> <input type="submit" name="submit" value="submit"> </form> <?php } function checkForm($form){ $m = []; $username = trim ( $form['username'] ?? '' ); $password = trim ( $form['password'] ?? '' ); $email = trim ( $form['email'] ?? '' ); $url = trim ( $form['url'] ?? '' ); if ( ! isValidUsername($username)) $m['username'] = 'Use alphanumeric, underscore and hyphen characters. Length must be between 4 and 10 characters'; if ( ! isValidPassword($password) ) $m['password'] = 'Must be between 6 and 32 characters. Must have at least one uppercase, one lowercase, one numeric and one symbol character.'; if ( ! isValidEmail($email) ) $m['email'] = 'Invalid email format.'; // URL is optional if ( $url != '' && (! isValidUrl($url)) ) $m['url'] = 'URL must start with http:// or https:// protocol'; return $m; // $m['select'] = 'Invalid data'; } function isValidUsername($username) { $len = strlen($username); if ( $len < 4 || $len > 10 || preg_match('/[^a-z0-9_-]|--|__|-_|_-|^[-_]|[-_]$/i',$username) ) return false; return true; } function isValidPassword($password) { $len = strlen($password); $qt = preg_quote('`~!@#$%^&*()_-=+\|[]{}/?.<>,\'";:','/'); if ( $len < 6 || $len > 32 || !preg_match('/(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*['.$qt.'])/', $password)) return false; return true; } function isValidEmail($email) { if (filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE) return false; return true; } function isValidUrl($url) { if (filter_var($url, FILTER_VALIDATE_URL) === FALSE || !str_starts_with($url, 'http') ) return false; return true; } function saveFormData() { echo '<h1>Form Submitted</h1>'; }
Demo: Form Validation
Processing Forms in PHP: