Confused with PHP form validation practices

Question

I am new to PHP and have only spent two weeks into it. I am currently reading "PHP and MySQL Web Development" but I am lost in what I should do in regards to form validation on a present site I am working on. I did decide to use HTML5Boilerplate for the first time and everything is coded and works great but I cant seem to figure out how to do my form. In my form all I am requiring is Name email and message and I am using the $_post method.

• Many tutorials suggested I use an array for $name, $email, and $message but I wanted to know if this is a best practice?
• Should I still include JavaScript validation as a fallback?
• If I use PHP is there a way to treat all submitted content as text or is that default in PHP?
• I am wanting to create a simple form captcha with 2+2 that would require an input box of 4 and I was wondering is the best way to do that with if ($_POST['submit'] && $human == '4')?
• I have read several comments on using $email = htmlspecialchars is bad can someone explain why?

My apologies for the thread but I have read over the week several (I beleive 15) tutorials on PHP form validation they all have their pros and cons and I want to start using PHP right. I did try to implement Eric Martin's form in my BoilerPlate but it would not work nor did I receive any browser errors in Firefox.

If it helps these are some tutorials I have read:

1. How to Create a Contact Form using HTML5, CSS3 and PHP
2. How To Create An Ajax-Based HTML5/CSS3 Contact Form
3. Integrating HTML5, CSS and PHP to Create a Very Basic Contact Form
4. How to Create Kick-Ass PHP Contact Forms

Answer 1

I numbered my responses in order of the bullet points...

1. $name, $email and $message are already in an array on submit, $_POST. Moving them to another variable is just a preference (not necessarily a best practice). When doing a long form, it can just get tiring having to type $_POST for every variable.

2. Javascript validation is a convenience, not a fallback. PHP would be your fallback. JS is not needed, but is helpful. You should always validate in PHP as JS can be bypassed easily, however JS is just nice. If I submit a form with an error and I have to wait for an entire page load just to find out, I might not fill out the form again to correct it. Even better in JS is to validate each field on blur (meaning when the cursor leaves the field) so that I can go back if there is an error right away.

3. PHP is not strictly typed meaning that '2' == 2 == 2.0. PHP will try to implicitly convert pretty much any type.

4. Make an image, show it to them and just know the expected response and compare it like any other field. If you want to do the image dynamically, just generate 2 random numbers, store the result in sessions, use gd to draw an image with the math expression and compare it on post.

5. there are many valid characters that htmlspecialchars will translate. After translated, they can be reversed, but if not reversed the email is no longer valid and won't reach it intended destination.

Answer 2

Many tutorials suggested I use an array for $name, $email, and $message but I wanted to know if this is a best practice?

I'm not sure what you mean. They are in the $_POST, $_GET and/or $_REQUEST arrays depending on how they were sent.

Should I still include JavaScript validation as a fallback?

Yes.

If I use PHP is there a way to treat all submitted content as text or is that default in PHP?

All data submitted via HTTP by a browser is considered a string, no matter what data it is. This is why you want to use is_numeric() instead of is_int() for checking numbers.

I am wanting to create a simple form captcha with 2+2 that would require an input box of 4 and I was wondering is the best way to do that with if ($_POST['submit'] && $human == '4')?

You will want to use $_SESSION to story the answer to their captcha.

I have read several comments on using $email = htmlspecialchars is bad can someone explain why?

There are several special characters that are valid characters in an email, that htmlspecialchars() will translate.

Answer 3

I know this doesn't answer everything, but hopefully this is helpful.

Many tutorials suggested I use an array for $name, $email, and $message but I wanted to know if this is a best practice?

not sure what you mean on this one, please elaborate?

Should I still include JavaScript validation as a fallback?

It's definitely a good idea. It's not a fallback so much as a compliment. What's really important is that your PHP handles the validation, so no MySQL injections (or other bad stuff) happens. Any JS validation can be easily bypassed, so you can't rely on it. JS validation is mostly a user friendly way to show that a field is required or not in the proper format.

If I use PHP is there a way to treat all submitted content as text or is that default in PHP?

PHP does not have intrinsic types with regard to variables. That being said, you can use casts and functions to make sure a variable is numeric, etc. With a form, if you have multiple checkboxes with the same name value foods[], then $_POST['foods'] is an array. Most other fields are submitted as text.

I am wanting to create a simple form captcha with 2+2 that would require an input box of 4 and I was wondering is the best way to do that with if ($_POST['submit'] && $human == '4')?

I would google a good Captcha library for PHP. The demos are usually very thorough and easy to implement.

I have read several comments on using $email = htmlspecialchars is bad can someone explain why?

I would look into validating the email using regular expressions, some functions can also do this, see: How to validate an Email in PHP?