Reinforcing Form Validation

Recently, I’ve been working with a Testing and Verification group on a web application I’ve been developing for an ecommerce site. Throughout this process, I’ve learned that you not only need to validate information provided by users on form input, but you also need to go the extra mile to make sure the information provided actually makes sense.

Right from the start, the first instance where I realized I had to take validations to the next step was with countries. I had a drop down list of countries that the user can select to indicate where they resided. The validations were typical and ensured that the user selected a country, and based on that input, is then passed onto another function. What if the drop down list is hijacked and the user enters some fictitious country? Depending on your application, this could either break your workflow or simply contaminate your databse with invalid records.

In this instance, going the extra mile means verifying that the country the user selected exists based on the list you provided. Validation can be done any number of ways. You can loop through your database and make sure that the input coincides with your stored values. You can also craft one lengthy IF statement that covers your bases.

Divide and Conquer

Working with this country example, to limit the amount of validating you do, you can take this process in stages.

  • First, if the country is a required input, you make sure that the user provided you a value, irrespective of the value. If nothing is received, you fail and send the user back.
  • In my example, although the country drop down contained the full name of each country, the values were the two character code. I check that the input received is equal to two characters.
  • My values aren’t alphanumeric – so I check that the input only contains letters.
  • If I got to this point, I check to see if the input matches one of the values for the countries I’ve initially shown in the list.

It’s a bit of an overkill, but a necessary evil. Overall, you can never trust any input given to you by a user. If you’re expecting numbers – make sure you set the boundary for the length of numbers you receive and ensure that it is a natural non-negative number, of course, depending on your requirements. If street address or postal codes are important to you, make sure you check those. Many sites across the internet offer regular expressions for what you’re validating.

Here’s an example for a Canadian and US Postal Code.

Canadian Postal Code Verification

function verify_postal_code($string) {
	if(preg_match("/[ABCEGHJKLMNPRSTVXYabceghjklmnprstvxy][0-9][ABCEGHJKLMNPRSTVWXYZabceghjklmnprstvwxyz][- ]?[0-9][ABCEGHJKLMNPRSTVWXYZabceghjklmnprstvwxyz][0-9]$/i",$string)) {
	    	return TRUE;
	 } else {
	 	return FALSE;

US Zip Code Verification

function verify_zip_code($string) {
	if(preg_match("/(^\d{5}$)|(^\d{5}-\d{4}$)|(^\d{9}$)/",$string)) {
		return TRUE;
	} else {
		return FALSE;

Some Best Practices

It goes without saying that you not only validate the data, but you also clean it. Some awesome PHP functions you can use are trim(), stripslashes(), strip_tags() and htmlspecialchars().

On a final note, test test test. Look up SQL Injection attacks and try every possible option on your own forms. It’s better that you expose your own flaws that someone potentially obtaining your data.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>