Best approach to validate a form with PHP

Question

What is the the most convenient way, the "best" way for validate a form with PHP? I don't want languages like Javascript for validate my form, I want to know the best approach for do a form validation using only PHP, the more cleanly way to do it.

I'm new with PHP, I'm working on a registration page, I finish it and I want to know if the approach that I do it's acceptable and if there is a best, convenient, clean way for validate a form.

This is the approach that I use:

if (post form submitted (action same page)) {
  $errors = array(); // Initialize the variable error as an array

  if (various controls for the username which must not occur) {
    $errors[] = 'Inputnot valid.';
  }

  // for example:
  if (empty($_POST['username']) || !ctype_alnum($_POST['username'])) {
    $errors[] = 'Username not valid.';
  }

  if (empty($_POST['email']) || !filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
    $errors[] = 'Email not valid.';
  }

  if (empty($errors)) { // Check if the array is empty so that there are no errors
    echo 'everything is ok';
  } else { // There is errors
    foreach ($errors as $error) {
      echo $error;
    }
  }
}
// Begin HTML
<!DOCTYPE html>

Answer 1

Validating depends on your program logic. Apply appropriate logic to each field of user input. Invalid data could break functionality.

Two kinds of sanitizing: parameterize or escape variables used in DB queries; also sanitize before printing to HTML using htmlspecialchars() or htmlentities(). Sometimes there are easier ways:

Sanitizing numbers: $var = (int)$var; It's now safe for DB and for HTML output.

String data validated to all safe characters (as alphanumeric usernames) do preg_replace or str_replace and remove any characters not expected. Web search for regular expression you need and use with preg_replace.

Passwords: whenever you have a password entered, immediately use a 1-way hash on it (see password_hash()). Compare the hashes for equality. You never have to know or store the actual PW. By storing PWs as hashes, someone who hacks your user table will see a bunch of hashes that won't work when entered into PW field. Salting your hashes will make it harder to reverse the encryption.

Emails: validating would be to check for the @ and the dot, but it's just to help the user from misspelling. Sanitizing emails: parameterize or escape for DB, and when output use htmlspecialchars().

Note, preg_replace doesn't apply when the user can enter any text and have it be valid (ie PWs or messages). Those are the hardest inputs to deal with.

Answer 2

I would recommend choosing a package from packagist.

There are dozens of form related extensions for PHP, but here are a few popular ones:

• Symfony (component framework)
• Yii 2.0 (full-stack web-framework)
• Zend

These links go to the documentation pages of the respective framework. Give them a read and choose the one which suites you most.

You should use composer for the installation.

Answer 3

If you're validating data on server side, And your validation does not require application business logic (i.e you're not checking to see if the user has enough credit in his account), You should validate in the controller.

If the validation requires business logic, Implement it inside the model and call it via controller.

You should have a look on this stackoverflow link Best Place for Validation in Model/View/Controller Model?