9.5. Validating InputAny sensible site should include server-side validation of variables, because they are much harder to hack, and they will work no matter what browsers your visitors are using. Basic input validation in PHP is done using the functions is_string( ), is_numeric( ), is_float( ), is_array( ), and is_object( ). Each of these functions take just one parameter, a variable of their namesake, and return TRue if that variable is of the appropriate type. For example, is_numeric( ) will return TRue if the variable passed to it is a number, and is_object( ) will return true if its variable is an object. There is one other function of this type that works the same way but is useless for validation, and that is is_resource( )it's mentioned here for the sake of completeness. The three basic validation checks you should conduct on input are whether you have each of your required variables, whether they have a value assigned, and whether they are of the type you were expecting. From there, you can conduct more complicated checks, such as whether the integer values are in the range you would expect, whether the string values have enough characters, whether the arrays have enough elements, etc. Here are some examples: // is the $Age variable set with a numeric value between 18 and 30? if (isset($Age)) { if (is_numeric($Age)) { if (($Age > 18) && ($Age < 30)) { // input is valid } else { print "Sorry, you're not the right age!"; } } else { // empty or non-numeric print "Age is incorrect!" } } else { print "Please provide a value for Age."; } // is $SpouseAge either unset, blank, or between 18 and 120? if (isset($SpouseAge) && $SpouseAge != "") { if (is_numeric($SpouseAge)) { if (($SpouseAge >= 18) && ($SpouseAge < 120)) { // input is valid } else { print "Spouse is not the right age!"; } } else { print "Spouse Age is incorrect!"; } } else { // input is valid; no spouse print "You have no spouse."; } // is $Income non-negative? if (isset($Income)) { if (is_numeric($Income)) { if ($Income >= 0) { // input is valid } else { print "Your income is negative!"; } } else { print "Please provide a numeric value for Income."; } } else { print "Please valid a value for Income."; }
For more specific parsing of character types in a variable, the CTYPE library is available. There are eleven CTYPE functions in total, all of which work in the same way as is_numeric( ): you pass a variable in, and get either true or false back. Table 9-2 categorizes what each function matches.
The matches are absolute, which means that ctype_digit( ) will return false for the value "123456789a" because of the "a" at the end, as this script shows: $var = "123456789a"; print (int)ctype_digit($var); Similarly, "123 " will fail the ctype_digit( ) test because it has a space after the number. There is no match for floating-point numbers available, as ctype_digit( ) matches 0-9 without also matching the decimal point. As a result, it will return false for 123.456. For this purpose you need to use is_float( ). |