Form Validation -- A Standard Solution?

Question

I'm a little above a newbie with web programming and I don't know much about form validation. In my research, it seems that there are a variety of ways to validate form data and some of the methods depend on what you're going to do with the data. Then you have to-be deprecated functions like mysql_real_escape_string and something called "PDO" and the whole thing is downright complicated.

So, would it be reasonable/feasible for there to be a set of functions that are basically the standard way to validate form data? Like this...

function validate_for_sql()
function validate_for_email()
function validate_for_browser()

Maybe there should be more (something for integers?). The ideal would be things like sql injections and other nasties could ALL be handled via a set of generally accepted and rock-solid functions developed by and for the coding community.

Is this doable? Does it already exist somewhere.. maybe in a hidden lair? If so, can someone email me the secret password needed to access this information? :)

Answer 1

Let me summarize your question : "would it be reasonable/feasible for there to be a set of functions, generally accepted, uniform, and solid, that are basically the standard way to validate form data?"

If what I summarize is true, then the answer is : jQuery Validation. As the name stated, you need jQuery and jQuery Validation to make this work.

Below is an example on how to use this tools.

HTML :

<form id="myForm">
    <input type="text" name="currency">
    <input type="text" name="amount">
</form>

Javascript:

$("#myForm").validate({
    rules: {
        "currency": {
            minlength: 3,
            required: true
        },
        "amount": {
            number: true
        }
    }
});

As default, validation is triggered on KeyUp. So when user change, lets say, field currency and broke one of the rules above, jQuery Validation will give pre-build notification message automatically.

These are the pre-build messages for rules above :

1. minlength: Please enter at least three characters
2. required: This field is required
3. number: Please enter a valid number

---

What if you want to validate whether a currency is available in our exchange rate's table?

The answer is: just add custom Validation Method.

$.validator.addMethod("checkCurrency", 
    function(value, element) {
        var result = false;
        $.ajax({
            type:"GET",
            async: false,
            url: "012_ajax.php", // script to validate in server side
            data: {currency: value},
            success: function(data) {
                result = (data == "1") ? true : false;
            }
        });
        // return true if currency is exist in database
        return result; 
    }, 
    "Currency is not exist."
);

$("#myForm").validate({
    rules: {
        "currency": {
            minlength: 3,
            required: true,
            checkCurrency: true
        },
        "amount": {
            number: true
        }
    }
});

With this code, everytime user entry unexist currency in table, form will always show "Currency is not exist" message.

---

Last question: could I create custom message for this plugin?

The answer is YES.

$("#myForm").validate({
    rules: {
        "currency": {
            minlength: 3,
            required: true,
            checkCurrency: true
        },
        "amount": {
            number: true
        }
    },
    messages: {
        "currency": {
            minlength: "Currency should at least 3 char or more",
            required: "Currency is required"
        },
        "amount": {
            number: "Amount must be number"
        }
    }
});

Now everytime user broke rules above, form will gives messages as state in code above.

The important thing of this plugin, as every form validation should do, is that data will not be submitted as long as data are not verified. Well, as long as user is't turning-off / disable javascript from his browser. :)

---

UPDATE

The answer above is for client side validation.

For server side validation, there are PHP form validation scripts on internet, among them are :

1. http://html-form-guide.com
2. A Soares

They have build-in validation rules and user could add the custom ones.

Hopefully this help.

Answer 2

You are fundamentally misunderstanding this.

The point of escaping a string is to allow you to insert it in a structured string without breaking out of the structure (eg, SQL injection, XSS, etc).

Whenever you insert a string into some structure, you need to escape it for that structure so that the resulting string makes sense.

If you escape it for a different structure (eg, HTML-escape a string and put it in a SQL statement), you will introduce both a security hole and a bug.

Answer 3

If I understand your question, then yes, this is possible by passing values of similar type inputs as parameters into functions. I'm sure if you search the web you'll find some pre-made functions that will do this. But, they don't take that long to make, plus creating them will enhance your skills. It would be good to have something like that, and as a matter of fact, ASP.NET actually does have inbuilt validation, but I'm afraid PHP does not (as far as I know).