Returning NULL for input validation

Question

In my PHP web applications I typically validate user input using custom functions which return either NULL if the input does not match the validation criteria, or return the original input value if the validation criteria are satisfied. So a basic process flow would look something like this:

$user_input = $_POST['fieldname'];
$user_input = validation_function($user_input);

if (isset($user_input)) {
  // do stuff
}

The nice thing about this is that I can take any number of user inputs, validate them, and then stick them into the isset() function as parameters, since the isset() function takes a variable number of parameters.

Now, I've been reading a lot about how NULL returns are bad, and this SO question, "Is returning null bad design?" has a great answer, basically stating that "The rationale behind not returning null is that you do not have to check for it and hence your code does not need to follow a different path based on the return value". I understand how this is beneficial in the internal workings of an application, but how can this principle be applied to input validation?

The crux of the question is, how do I handle input validation in a way that I do not have to return NULL like in the code example I provided above?

Answer 1

First of all, don't use isset in this way, you're abusing it.

       if at all, use isset here, because
     this variable *may* actually not be set
              vvvvvvvvvvvvvvvvvvv
$user_input = $_POST['fieldname'];

if (isset($user_input)) {
    ^^^^^^^^^^^^^^^^^^
 do not use isset here, because
 this variable is definitely set

isset has a specific purpose and is used for proper error handling/suppression. You're only making your life harder by suppressing error reporting for mistyped variables if you use isset in that manner.

Then, you should generalize your code. Make an array of fields you want to validate. Run a loop over that array, flagging fields true or false. Figure out whether all fields were true or not.

$validate = array_fill_keys(array('firstname', 'lastname', ...), null);

foreach ($validate as $field => &$valid) {
    // your validation logic here!
    $valid = !empty($_POST[$field]) ? $_POST[$field] : false;
}

if (array_filter($validate, function ($i) { return $i === false; })) {
    die('Some fields are invalid!');
}

That's a simple skeleton. You can expand this to set individual error messages for failed fields in the array, individual validation rules etc.

Answer 2

if(isset($user_input))
 {
$flg = true;
}
if($flg)
{
//do stuff
}

I guess that's what you are looking for. You can set a variable true and false as it my way of validation.

Answer 3

Well for input validation i always return the original value and then flag that field as invalid in some manner. The reason for this is that I generally want to display a validation error message for each field. Rather than a function i would use a class that way tracking all this is much easier.

If youre interested in that approach take a look at how Zend_Form and Zend_Validate work together to provide an extensible validation interface for user input.

Answer 4

Slightly more compacted way derived from baig772's answer:

if(validation_function($user_input)) 
{
// do stuff
}

Let validation_function() return a bool and based on that decide what to do. No need for isset(). You can of course set flags within that block and use those flags later in the code. isset() allows you to add mixed variables, but one can assume that different validation functions will be needed based on the input type. So you can go for this:

if(validation_function_fname($first_name) && validation_function_email($email))
{
//do stuff
}

Or, like this:

$name_ok = validation_function_fname($first_name);
$email_ok = validation_function_email($email);

if($name_ok && $email_ok)
{
// do stuff
}