PHP 5 Form Validation

This and the following sections tell the best way to utilize PHP to approve structure data.

$_SERVER is a cluster that incorporates data, for example, headers, ways, and content areas. The sections in this cluster are made by the web server.

PHP Form Validation

The HTML structure we will work at in these sections, contains different information fields: required and discretionary content fields, radio catches, and a submit button:

The approval rules for the structure above are as follows:

Field Validation Rules
Name Required. + Must just contain letters and whitespace
E-mail Required. + Must contain a legitimate email address (with @ and .)
Website Optional. In the event that present, it must contain a substantial URL
Comment Optional. Multi-line input field (textarea)
Gender Required. Must choose one

First we will take a gander at the plain HTML code for the form:

Text Fields

The name, email, and site fields are content info components, and the remark field is a textarea. The HTML code looks like this:

Name: <input type="text" name="name">
Email: <input type="text" name="email">
Website: <input type="text" name="website">
Comment: <textarea name="comment" rows="5" cols="40"></textarea>

Radio Buttons

The sexual orientation fields are radio catches and the HTML code looks like this:

<input type="radio" name="gender" value="female">Female
<input type="radio" name="gender" value="male">Male

The Form Element

The HTML code of the structure looks like this:

<form method="post" action="<?php reverberation htmlspecialchars($_SERVER["PHP_SELF"]);?>">

When the structure is presented, the structure information is sent with method="post".

So, the $_SERVER["PHP_SELF"] sends the submitted structure information to the page itself, rather than hopping to an alternate page. Along these lines, the client will get blunder messages on indistinguishable page from the form.

Big Note on PHP Form Security

The $_SERVER["PHP_SELF"] variable can be utilized by hackers!

If PHP_SELF is utilized in your page then a client can enter a cut (/) and afterward some Cross Site Scripting (XSS) directions to execute.

Assume we have the accompanying structure in a page named "test_form.php":

<form method="post" action="<?php reverberation $_SERVER["PHP_SELF"];?>">

Now, if a client enters the ordinary URL in the location bar like "http://www.example.com/test_form.php", the above code will be interpreted to:

<form method="post" action="test_form.php">

So far, so good.

However, think about that a client enters the accompanying URL in the location bar:


In this case, the above code will be interpreted to:

<form method="post" action="test_form.php/"><script>alert('hacked')</script>

This code includes a content tag and an alarm order. What's more, when the page stacks, the JavaScript code will be executed (the client will see an alarm box). This is only a straightforward furthermore, innocuous precedent how the PHP_SELF variable can be exploited.

Be mindful of that any JavaScript code can be included inside the <script> tag! A programmer can divert the client to a record on another server, what's more, that record can hold malignant code that can modify the worldwide factors or present the structure to another address to spare the client information, for example.

How To Avoid $_SERVER["PHP_SELF"] Exploits?

$_SERVER["PHP_SELF"] endeavors can be evaded by utilizing the htmlspecialchars() function.

The structure code should look like this:

<form method="post" action="<?php reverberation htmlspecialchars($_SERVER["PHP_SELF"]);?>">

The htmlspecialchars() work changes over extraordinary characters to HTML substances. Presently if the client endeavors to misuse the PHP_SELF variable, it will result in the accompanying output:

<form method="post" action="test_form.php/&quot;&gt;&lt;script&gt;alert('hacked')&lt;/script&gt;">

The misuse endeavor fizzles, and no damage is done!

Validate Form Data With PHP

The first thing we will do is to go all factors through PHP's htmlspecialchars() function.

When we utilize the htmlspecialchars() work; at that point if a client attempts to present the accompanying in a content field:


-this would not be executed, on the grounds that it would be spared as HTML got away code, as this:


The code is currently protected to be shown on a page or inside an e-mail.

We will likewise complete two additional things when the client presents the form:

  1. Strip superfluous characters (additional room, tab, newline) from the client input information (with the PHP trim() function)
  2. Remove oblique punctuation lines (\) from the client input information (with the PHP stripslashes() function)

The subsequent stage is to make a capacity that will do all the checking for us (which is substantially more helpful than composing a similar code again and again again).

We will name the capacity test_input().

Now, we can check each $_POST variable with the test_input() work, and the content looks like this:


//characterize factors and set to purge values
$name = $email = $gender = $comment = $website = "";

  $name = test_input($_POST["name"]);
  $email = test_input($_POST["email"]);
  $website = test_input($_POST["website"]);
  $comment = test_input($_POST["comment"]);
  $gender = test_input($_POST["gender"]);

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
Run model »

Notice that toward the beginning of the content, we check whether the structure has been submitted utilizing $_SERVER["REQUEST_METHOD"]. On the off chance that the REQUEST_METHOD is POST, at that point the structure has been submitted - and it ought to be approved. On the off chance that it has not been submitted, avoid the approval and show a clear form.

However, in the precedent over, all info fields are discretionary. The content works fine regardless of whether the client does not enter any data.

The subsequent stage is to make input fields required and make blunder messages if needed.