PHP validation and verification

PHP validation and verification Posted in PHP | 31 Comments

Today we are going to review a very important part of the development process of a web application. The validation of users input. This is one the trickiest parts of any application at all. Why is that? Because the developer doesn’t control it. You can write the best algorithm in the world, but still if it includes user input there is a place for mistakes. Even if we put some coplicated logic to prevent the input of wrong symbols, check the consistence of the data and do whatever possible to make sure that it is all OK, there is still possibility that the users enter the wrong number. Though all said, we must try to prevent the most of human errors and the best way to do this is by using Regular Expressions.

Basicly Regular Expressions are used for string matches. They are based on search and pattern matching strings in text. A lot of books are written about them, there are even some programming languages designed especially for Regular Expressions. But today we are just going to take a brief look at how regular expressions can help us with user input. First of all I suggest that you get familiar with some basic concepts of the language. It’s syntax is fully explained in PHP Manual –> Pattern Syntax.

Now let’s get to work. I’ll present some of the most common problems with user input. I’m pretty sure that you met most of them if not all. We are going to create a registration form with required input fields. They are as follows:
– Full Name
– Address
– Passport
– Email
– Phone
– Zip code
– Date
– Username
– Password

Here is the test form that we will use PHP validation example (download)

We have to define some variables that will hold our error messages. Their values have to be cleared every time we reload our page.

$errName = "";
$errAddress = "";
$errEmail = "";
$errPassport = "";
$errPhone = "";
$errZip = "";
$errDate = "";
$errUser = "";
$errPass = "";

There are two ways to use regular expressions in php. One is the true PHP style in which case we have to use ereg() function and the other is to use Perl style syntax for our validations. In this case we have to use preg_match() function. In this tutorial we will use preg_match() because it is faster in most cases and also supports the most common regular expression syntax. It also gives us more capabilities, that we can use.

We will start with validation of the name of the user. We will allow only letters, space and a dash. So we create our regexp (Regular Expression). We will make a class for our possible values. The class is created when we enclose some symbols in parences. This is our class:

[a-zA-Z -] Our class includes all letters between a-z (all lower case letters), A-Z (all upper case letters), space and a dash.

Now we have to set this class to apply for every character that we enter. So we add a (+) plus sign after our class definition. We are still missing something. We have not defined the range of our validation test. We have to set which part of the text we are validating. If we don’t do this our regular expression will be satisfied if it finds even one match in the characters that we enter, which is of no use for us. How do we do this? We put our string between /^$/ start and end characters. “^” means the start of the line and “$” means the end of it. We are ready to build our regexp.

/^[a-zA-Z -]+$/ The forward slash is used by preg_match to define the start and the end of our regexp.

Now we are finished, are we? There is just one more thing to do. The way that we defined our class allows the user to enter dash at the begining of the name. This is something we want to prevent. So we have to add something to our regexp, so it will disallow this.

[A-Z] We define a new class for the first letter of the user name. It can contain only upper case letters.

Now we combine what we have done so far, to get the final result. The return of preg_match() is 0 if there isn’t a match. In that case we have to set our error variable, so we can show some meaningful message to the user.

/^[A-Z][a-zA-Z -]+$/

// Full Name must contain letters, dashes and spaces only and must start with upper case letter.
if(preg_match("/^[A-Z][a-zA-Z -]+$/", $_POST["name"]) === 0)
$errName = '<p>Name must be from letters, dashes, spaces and must not start with dash</p>';

Let’s move forward to the next valitaion field, which is going to be the address. Not much to do here, because it can contain a lot of symbols. We just have to define one class that hold them all.

/^[a-zA-Z0-9 _-.,:”‘]+$/
We translate this regexp as: From the begining to the end of the address string check if our character is one of the following a-z, A-Z, 0-9, space, underscore, dash, dot, comma, semicolons, double and sigle quotes. You can add any character that you think may be part of an address. The thing to notice here is that when we have quotes we have to put an escape character before them.

// Address must be word characters only
if(preg_match("/^[a-zA-Z0-9 _-.,:"']+$/", $_POST["address"]) === 0)
$errAddress = '<p>Address must be only letters, numbers or one of the following _ - . , : " '</p>';

Our next task is to create a regexp for email validation. Here we are going to include another future of the expressions which is constans that represend predefined classes. Here is a list of those that we will use:

w = [0-9A-Za-z_] Class includes digits, letters and underscore character.
d = [0-9] Class includes only digits

These constants save a lot of typing and make source code easier to read and understand. What is the mask for an email? The first part the username can contain letters, digits, dots and underscore character. It has to begin with letter and if we have dot it must be followed by letter. Then it must be followed by @ sign and again the first part. At the end we must have a dot followed by 2 to 4 letters. Whenever we have a character that has special meaning in regexp and we want to use it as character, we have to escape it with backslash.

// Email mask
if(preg_match("/^[a-zA-Z]w+(.w+)*@w+(.[0-9a-zA-Z]+)*.[a-zA-Z]{2,4}$/", $_POST["email"]) === 0)
$errEmail = '<p>Email must comply with this mask: chars(.chars)@chars(.chars).chars(2-4)</p>';

The next string for validation is passport. It can contain only numbers and be 10 or 12 digits. But how we set how many characters we want. We put the desired number of characteras in parences {} and our regexps will look like this /^d{10}$/ and /^d{12}$/. How we combine these two expressions so that we use either one or the other. We use OR. It’s sign is “|”. Our statement is complete /^d{10}$|^d{12}$/.

// Passport must be only digits
if(preg_match("/^d{10}$|^d{12}$/", $_POST["passport"]) === 0) 
$errPassport = '<p>Passport must be 10 or 12 digits</p>';

I will present a phone mask. It can be a lot different, but it is simle enough to be easily customized. You just have to define the number of diggits in every part of the phone number and choose a delimiter. It can be any symbol you want. Zip code is also very easy to implement.

// Phone mask             1-800-999-9999      
if(preg_match("/^d{1}-d{3}-d{3}-d{4}$/", $_POST["phone"]) === 0)
$errPhone = '<p>Phone must comply with this mask: 1-333-333-4444</p>';
// Zip must be 4 digits
if(preg_match("/^d{4}$/", $_POST["zip"]) === 0)
$errZip = '<p>Zip must be 4 digits</p>';

Now we will make date mask. It will look like this: YYYY-MM-DD. Our date will be made only by diggits. You already now how to set the lenght of the year, but the month and day can be between 1 and 2 diggits in lenght. We set this by separating the two values by comma {1,2}. This means that all the numbers in this interval are valid value.

// Date mask YYYY-MM-DD
if(preg_match("/^[0-9]{4}-[0-9]{1,2}-[0-9]{1,2}$/", $_POST["date"]) === 0)
$errDate = '<p>Date must comply with this mask: YYYY-MM-DD</p>';

The last thing to check in our registration – validation form is for username and password of our user. Username can be any string that consist of letters, diggits and uderscore character ( “w” predefined class). We want the username to be at least 5 chars long. This is accomplised by this statement {5,}. The missing value after the comma means that it can be of any value equal or bigger that 5.

// User must be digits and letters
if(preg_match("/^[0-9a-zA-Z_]{5,}$/", $_POST["user"]) === 0)
$errUser = '<p>User must be bigger that 5 chars and contain only digits, letters and underscore</p>';

A good password is the hardest thing to check for. To pass a validation test it must contain at least one lower case letter, one upper case letter and one digit. This will make it hard to break. A thing to know before we start – the dot represents any character. For our purpose we have to make some groups that represent the password. They are defined using the parences (). Each group will check for a particular condition. The first one will check the lenght of our string. It must be equal or bigger than 8. ?= is called a possitive lookahead. A positive lookahead says “the next text must be like this and follow these rules.” So when we take the “next text” it must be of the type “.{8,}”. We declare our first regexp condition as (?=.{8,}). It states that our string must be equal or bigger that 8 and can contain any character. The second rule that we want to apply to the password is to contain at least one diggit. Again we take our string and check it against our condition (?=.*[0-9]). Similarly we do the other conditions. One is for lowercase letters and the other is for uppercase letter (?=.*[a-z]) (?=.*[A-Z]). This is the minimal requirements for our password. The user may want even stronger password. So we add “.*” at the begining and at the end of the password. This means that any number from 0 to more can be inserted.

// Password must be strong
if(preg_match("/^.*(?=.{8,})(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z]).*$/", $_POST["pass"]) === 0)
$errPass = '<p>Password must be at least 8 characters and must contain at least one lower case letter, one upper case letter and one digit</p>';

This concludes our tutorial. You see what a powerfull tool regular experessions are and how they can help us in form input verifications. They are way more complex than what you see here, but knowing at least the basics is essential. So get those heavy books and start reading. I hope that those examples help you with your work.

By Rz Rasel Posted in Php

15 comments on “PHP validation and verification

  1. I will right away clutch your rss as I can’t to find your e-mail subscription hyperlink or e-newsletter service. Do you’ve any? Kindly permit me understand in order that I could subscribe. Thanks.

  2. Hello There. I found your blog using msn. This is a very well written article. I will make sure to bookmark it and return to read more of your useful info. Thanks for the post. I will certainly return.

  3. Thanks for expressing your ideas with this blog. Also, a myth regarding the lenders intentions any time talking about foreclosures is that the traditional bank will not take my installments. There is a certain amount of time in which the bank can take payments every now and then. If you are way too deep inside hole, they’re going to commonly demand that you pay the payment 100 %. However, i am not saying that they will not take any sort of payments at all. Should you and the bank can be capable to work some thing out, your foreclosure method may end. However, when you continue to miss out on payments within the new plan, the foreclosures process can pick up from where it left off.

  4. I do agree with all the ideas you’ve presented in your post. They are really convincing and will definitely work. Still, the posts are too short for newbies. Could you please extend them a little from next time? Thanks for the post.

  5. I blog quite often and I seriously appreciate your information.
    Your article has really peaked my interest.

    I will book mark your website and keep checking for new information about once
    a week. I subscribed to your Feed too.

  6. Very nice post. I just stumbled upon your weblog and wished to say that I’ve truly enjoyed browsing your blog posts. After all I will be subscribing to your rss feed and I hope you write again very soon!

  7. I’m extremely impressed with your writing skills and also with the layout on your weblog. Is this a paid theme or did you customize it yourself? Anyway keep up the excellent quality writing, it’s rare to see a nice blog like this one these days

  8. I’ve been recently wondering about the very same matter personally lately. Happy to see a person on the same wavelength! Nice article.

  9. *This web site is really a walk-through for all of the info you wanted about this and didn�t know who to ask. Glimpse here, and you�ll definitely discover it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s