PHP form Validation

Source: Internet
Author: User
Tags php form php form validation script tag valid email address

PHP Form Validation
We need to consider security when working with PHP forms.

In this section we will show PHP form data security processing, in order to prevent hackers and spam information we need to data security verification of the form.

The following input fields are included in the HTML form described in this section: must be associated with an optional text field, radio button, and submit button:

The above form validation rules are as follows:

Field validation rules
Name Have to. + can contain only letters and spaces
E-Mail Have to. + must be a valid email address (contains ' @ ' and '. ') )
Website Have to. If it exists, it must contain a valid URL
Comment Have to. Multiline input field (text field)
Gender Have to. You must select a

First let's look at the Plain HTML form code:

Text field

The name, email, and website fields are text input elements, and the comment field is textarea. The HTML code looks like this:

Name: <input type= "text" name= "name" >e-mail: <input type= "text" name= "email" >website: <input type= "text "Name=" website ">comment: <textarea name=" Comment "rows=" 5 "cols=" ></textarea>

radio button:

The gender field is a radio button, and the HTML code looks like this:

Gender:<input type= "Radio" name= "Gender" value= "female" >female<input type= "Radio" name= "Gender" value= "male ">male


Form elements

The HTML form code looks like this:

<form method= "POST" action= "<?php Echo  htmlspecialchars ($_server[" php_self "]);? > ">


The form uses the method= "post" method to submit data.

What is a $_server["php_self"] variable?

$_server["Php_self"] is a super global variable that returns the file name of the currently executing script, which is related to document root.

Therefore, $_server["Php_self" will send the form data to the current page instead of jumping to a different page.

What is the Htmlspecialchars () method?

The Htmlspecialchars () function converts some pre-defined characters to HTML entities.

The predefined characters are:

  • & (and number) becomes &amp;

  • "(double quotes) become &quot;

  • ' (single quotes) become & #039;

  • < (less than) becomes &lt;

  • > (greater than) becomes &gt;

What needs to be stressed in the PHP form?

$_server["Php_self"] variables are likely to be used by hackers!

When hackers use HTTP links to cross-site scripts to attack, $_server["php_self"] Server variables are also inserted into the script. The reason is that cross-site scripting is appended to the path of the execution file, so the string $_server["Php_self" will contain the JavaScript code behind the HTTP link.

XSS is also called CSS (Cross-site script), cross-site scripting attacks. A malicious attacker inserts malicious HTML code into a Web page, and when the user browses to the page, HTML code embedded inside the Web is executed to achieve the special purpose of the malicious user.

Specifies that the following form file is named "test_form.php":

<form method= "POST" action= "<?php echo $_server[" php_self "];? > ">


Now, we use the URL to specify the commit address "test_form.php", and the above code is modified to resemble the following:

<form method= "POST" action= "test_form.php" >


It's good to do that.

However, given that the user will enter the following address in the browser address bar:

/test_form.php/%22%3e%3cscript%3ealert (' hacked ')%3c/script%3e

In the above URL, it will be parsed into the following code and executed:

<form method= "POST" action= "test_form.php/" ><script>alert (' hacked ') </script>


The script tag is added to the code and the alert command is added. The JavaScript code executes when the page is loaded (the user will see a popup box). This is just a simple example of how php_self variables can be exploited by hackers.

Please note that any JavaScript code can be added to the <script> tab! Hackers can use this redirect page to another Server page, the page code file can protect malicious code, the code can modify global variables or get the user's form data, instance:

How to avoid $_server["php_self") being exploited?

$_server["Php_self"] can be avoided by using the Htmlspecialchars () function.

The form code looks like this:

<form method= "POST" action= "<?php Echo htmlspecialchars ($_server[" php_self "]);? > ">


Htmlspecialchars () converts some of the predefined characters to HTML entities. Now if the user wants to take advantage of the php_self variable, the result will be output as follows:

<form method= "POST" action= "test_form.php/" ><script>alert (' hacked ') </script> ">


Failed to attempt the vulnerability!

Validating form data with PHP

First, all of the data submitted by the user is handled by PHP's Htmlspecialchars () function.

When we use the Htmlspecialchars () function, the user tries to submit the following text fields:

<script>location.href (' ') </script>


-The code will not be executed because it will be saved as an HTML escape code, as follows:

<script>location.href (' ') </script>


The above code is safe and can be displayed on the page or inserted in the message normally.

When the user submits the form, we will do the following two things:

    1. Use the PHP trim () function to remove unnecessary characters from user input data (such as: spaces, tab, line wrapping).

    2. Use the PHP stripslashes () function to remove backslashes (\) from user input data

Let's then write these filtered functions in a function that we define ourselves, which can greatly improve the reusability of the code.

Name the function test_input ().

Now, we can use the Test_input () function to detect all the variables in the $_post, and the script code looks like this:

<?php//defines a variable and defaults to a null value $name =  $email = $gender = $comment = $website = ""; If  ($_server["request_method"] = = "POST ") {  $name =  test_input ($_post[" name "]);  $email = test_input ($_post["email"]);    $website = test_input ($_post["website"]);  $comment =  test_input ($_post["comment"]);  $gender = Test_input ($_post["Gender");} function Test_input ($data) {  $data = trim ($data);  $data =  stripslashes ($data);  $data = Htmlspecialchars ($data);  return $data; }?>


Note that when we execute the above script, we will detect whether the form is committed by $_server["Request_method"). If Request_method is POST, the form will be submitted-the data will be validated. If the form is not submitted, validation is skipped and blank is displayed.

The use of entries in the above instances is optional, even if the user does not enter any data to display correctly.

PHP form Validation

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.