Page 1 of 1

Form validation - best practice for many fields

Posted: Thu Apr 02, 2009 4:10 pm
by cbearhoney
What's the best practice for validating form fields before submitting to a database or e-mail? Up til now, I've been checking each field against a validateField function, which makes sure that the field is not empty and doesn't have funky characters. But what if I have 20 form fields? Instinct tells me to forget 20 if statements and use a foreach looping through my $POST array. But is this practice safe? Thanks.

This method works well...but is it the best for many fields?

Code: Select all

// if form was submitted, send e-mail
if (isset($_GET['action'])&&$_GET['action']=='sendMail'){
    include_once "validateField_pf.php";
    
    $ad_name = $_POST['ad_name'];
    $ad_co = $_POST['ad_company'];
    $ad_phone = $_POST['ad_phone']; 
 
    $nameCheck = validateField($ad_name);
    $coCheck = validateField($ad_co);
    $phoneCheck = validateField($ad_phone); 
    
    if ($nameCheck && $coCheck && $phoneCheck){
        require("hybMail.php");
        $mail_details = array($ad_name, $ad_co, $ad_phone);
        sendHybMail(1, $mail_details);
        
    }
    else {
        if ($nameCheck==FALSE){
            echo "<span class='alert'>* Please enter a name.</span><br/>";
        }
        if ($coCheck==FALSE){
            echo "<span class='alert'>* Please enter a company name.</span><br/>";
        }
        if ($phoneCheck==FALSE){
            echo "<span class='alert'>* Please enter a phone number.</span><br/>";
        }           
    }   
}

Re: Form validation - best practice for many fields

Posted: Thu Apr 02, 2009 4:29 pm
by kaisellgren
The piece of code you provided is irrelevant in context of security. Show us your validateField_pf.php and hybMail.php.

Re: Form validation - best practice for many fields

Posted: Thu Apr 02, 2009 4:47 pm
by cbearhoney
Thanks for responding kaisellgren. Actually, I just want to know if the way I'm checking the fields BEFORE I sent them to validateFields_pf.php or hybMail.php is the best way. If I had 20 fields, should I create 20 different 'check' variables? Or should I use a foreach loop on my $_POST array?

Re: Form validation - best practice for many fields

Posted: Thu Apr 02, 2009 4:58 pm
by kaisellgren
cbearhoney wrote:Actually, I just want to know if the way I'm checking the fields BEFORE I sent them to validateFields_pf.php or hybMail.php is the best way.
What do you mean? You are not checking anything prior to sending to them to validateField(), are you? And I doubt your mail function does any data filtering.
cbearhoney wrote:If I had 20 fields, should I create 20 different 'check' variables? Or should I use a foreach loop on my $_POST array?

Code: Select all

function callback_func($v)
{
 if (!validateField($v))
  die('...');
}
array_walk(array($_POST['ad_name'],$_POST['ad_co'],$_POST['ad_phone']),'callback_func');
Just a simple demonstration that you could use for validation.

I have a strong feeling that your validation is improper, though.

Re: Form validation - best practice for many fields

Posted: Thu Apr 02, 2009 5:03 pm
by Apollo
If all fields need to be validated the same way, then yes, a foreach seems much more convenient to me.

What do you mean with 'funky characters' by the way? Would company names like "McKenzie & O'Hara" or "Café the Black Sheep" be allowed?