PHP

Server-Side Validation

In this section, we introduce validation on the server. The techniques described here are typical of those that validate a <form> after the user has submitted data to the server. We show how to extend and integrate this approach further in Chapter 8 so that the batch errors are reported as part of the customer <form>, and we show the completed customer entry <form> and validation in Chapter 10.

Case Study: Customer Validation in the Winestore

In this section, we show how to validate selected winestore customer <form> data, including examples of the validation checks required for mandatory fields, field lengths, and data types. Many functions-including the regular expression and string functions-are discussed in detail in Chapter 2.

Our system requirements in Chapter 1 note the following validation requirements:

  • A user must provide a surname, first name, one address line, a city, a state, a zip code, a country, a birth date, an email address, and a password.

  • The user may also optionally provide a middle initial, a title, two additional address lines, a state, a telephone number, and a fax number.

Testing whether mandatory fields have been entered is straightforward, and we have implemented this in our examples in Chapter 6. For example, to test if the user's surname has been entered, use the following approach:

// Validate the Surname
if (empty($formVars["surname"]))
    // the user's surname cannot be a null string
    $errorString .=
        "\n<br>The surname field cannot be blank.";

For optional fields, omit this check.

While it isn't specified in the brief system requirements, it's reasonable to assume that the fields provided by the user should be validated using additional checks. For example, telephone and fax numbers should be numeric and conform to a well-known template. Email addresses should meet the requirements of the RFC-2822 document available from http://www.ietf.org or at least a reasonable approximation; moreover, the domain part of the email address-such as webdatabasebook.com-should be an actual, existing domain. We describe additional validation steps in this section; the complete code for the customer <form> validation is listed in Chapter 10.