PHP Form processing

Question

I've built a registration form, and I have implemented the jQuery Validation plugin by JÖRN ZAEFFERER, including stylizing the error messages with CSS, I want now to add a layer of PHP to validate a second time, in case JS is turned off then following that I will run the data through security : hash/salt/encryption etc, before inserting the data into a mySql table, then writing a program to get the account verified by email as part of the sign up process.

I'm self-taught so can anyone with more experience explain the best practices with this process. Questions I have are : Where should the PHP go, embed in the html file, in a seperate php file which the form action = "" submits to, or in an include file? What are the best practices as regards security, if I'm using a salt or a hash or an encrytion function should that be in an include file? The final question is : Is jQuery validation a waste of time, would it be better just to do it with PHP, if you do both, does the PHP embed itself in a HTML file or is it better for security to put it elsewhere.

This is the first time I've done this, but it's just simply taking input putting it in the database securely, verifying by email, and then logging in the new user to then go and use the website.

I'd love to know best practices to begin with, so if there are any good articles on the web, please link me to them.

Thanks

Ant Power

Answer 1

So you've asked many different questions here. I'll go through them one-by-one.

Where should the PHP go, embed in the html file, in a seperate php file which the form action = "" submits to, or in an include file?

PHP is never embedded directly in an HTML document. Rather, think of PHP as a dynamic HTML generator. It creates HTML (or JSON, or whatever) that is sent the browser, but is never actually sent to the browser itself. That's why it's referred to as a server-side language, as opposed to something like JavaScript (which can also be server-side, but that's not relevant). So you should be fine putting your validation anywhere you'd like. It will need to happen when the form action is called, so it will need to be wherever that happens. Something like the following should work:

<?php

function validate($data) {
  // Do your validation here, and return an array of errors.
  return $errors;
}

// Run the validation on the data posted from the form.
$errors = validate($_POST);
if (empty($errors)) {
  // The data was valid, save it to the database
  // (be sure to sanitize the data first).
} else {
  // The data was not valid, redirect the user or whatever.
}

What are the best practices as regards security, if I'm using a salt or a hash or an encrytion function should that be in an include file?

Yes, use an encryption function. It does not need to be in a separate file to be secure: the encryption function is what provides the security, not the fact that the user cannot see the file (read: actual security, not security through obfuscation). But whatever salt you use to hash the value should be in a separate file that is not accessible over the web. If a user can see your hashing algorithm and your salt, they can begin to bruteforce your data.

Is jQuery validation a waste of time, would it be better just to do it with PHP?

jQuery validation should be considered more of a UI/UX improvement than actual validation. Client-side (read: JavaScript) validation should never replace server-side (read: PHP) validation for the reasons you already mentioned. But I do think that it can contribute to a better user experience, so sometimes it's worth doing both.

One thing I would do is use the same method for validating server-side and client-side, so that you don't have to write your validation code twice. For example, if you place your validation function in another file, you can use AJAX to send the form data to it, then receive back form errors.

Hope this helps!

Update: Also, if what you're doing is logging in users, check out password_compat, which will become part of PHP standard library in PHP 5.5. That library should take care of a lot of security concerns for you, in an upgradable way.

Answer 2

Best practise would be to create a php function or class method that validates the data, and then calling said function/method in a seperate file defined as your form action. Assuming this is a POST request, you should have a seperate file handling the request. Validation should not be a part of this file, as you should be able to use it anywhere you want.

TLDR: Create a validation class, and include and use it in a seperate processing file.