Section 9.5. Validating Input

Previous page
Table of content
Next page

9.5. Validating Input

Any sensible site should include server-side validation of variables, because they are much harder to hack, and they will work no matter what browsers your visitors are using.

Basic input validation in PHP is done using the functions is_string( ), is_numeric( ), is_float( ), is_array( ), and is_object( ). Each of these functions take just one parameter, a variable of their namesake, and return TRue if that variable is of the appropriate type. For example, is_numeric( ) will return TRue if the variable passed to it is a number, and is_object( ) will return true if its variable is an object. There is one other function of this type that works the same way but is useless for validation, and that is is_resource( )it's mentioned here for the sake of completeness.

The three basic validation checks you should conduct on input are whether you have each of your required variables, whether they have a value assigned, and whether they are of the type you were expecting. From there, you can conduct more complicated checks, such as whether the integer values are in the range you would expect, whether the string values have enough characters, whether the arrays have enough elements, etc.

Here are some examples:

     // is the $Age variable set with a numeric value between 18 and 30?     if (isset($Age)) {             if (is_numeric($Age)) {                     if (($Age > 18) && ($Age < 30)) {                             // input is valid                     } else {                             print "Sorry, you're not the right age!";                     }             } else {                     // empty or non-numeric                     print "Age is incorrect!"             }     } else {             print "Please provide a value for Age.";     }     // is $SpouseAge either unset, blank, or between 18 and 120?     if (isset($SpouseAge) && $SpouseAge != "") {             if (is_numeric($SpouseAge)) {                     if (($SpouseAge >= 18) && ($SpouseAge < 120)) {                             // input is valid                     } else {                             print "Spouse is not the right age!";                     }             } else {                     print "Spouse Age is incorrect!";             }     } else {             // input is valid; no spouse             print "You have no spouse.";     }     // is $Income non-negative?     if (isset($Income)) {             if (is_numeric($Income)) {                     if ($Income >= 0) {                             // input is valid                     } else {                             print "Your income is negative!";                     }             } else {                     print "Please provide a numeric value for Income.";             }     } else {             print "Please valid a value for Income.";     }

There is a function confusingly similar to is_numeric( ), called is_int( ). This returns true if the variable passed in is an integer, which may sound similar to is_numeric( ). However, data passed in through a form, even if numeric in content, is of type string, which means that is_int( ) will fail. On the other hand, is_numeric( ) returns TRue if the variable is a number or a string containing a number. This same problem applies to is_float( ), as floating-point values set from user input are typed as strings.


For more specific parsing of character types in a variable, the CTYPE library is available. There are eleven CTYPE functions in total, all of which work in the same way as is_numeric( ): you pass a variable in, and get either true or false back.

Table 9-2 categorizes what each function matches.

Table 9-2. The CTYPE functions and what they match

ctype_alnum( )

Matches A-Z, a-z, 0-9

ctype_alpha( )

Matches A-Z, a-z

ctype_cntrl( )

Matches ASCII control characters

ctype_digit( )

Matches 0-9

ctype_graph( )

Matches values that can be represented graphically

ctype_lower( )

Matches a-z

ctype_print( )

Matches visible characters (not whitespace)

ctype_punct( )

Matches all non-alphanumeric characters (not whitespace)

ctype_space( )

Matches whitespace (space, tab, new line, etc.)

ctype_upper( )

Matches A-Z

ctype_xdigit( )

Matches digits in hexadecimal format


The matches are absolute, which means that ctype_digit( ) will return false for the value "123456789a" because of the "a" at the end, as this script shows:

     $var = "123456789a";     print (int)ctype_digit($var);

Similarly, "123 " will fail the ctype_digit( ) test because it has a space after the number. There is no match for floating-point numbers available, as ctype_digit( ) matches 0-9 without also matching the decimal point. As a result, it will return false for 123.456. For this purpose you need to use is_float( ).


Previous page
Table of content
Next page
PHP in a Nutshell
Ubuntu Unleashed
ISBN: 596100671
EAN: 2147483647
Year: 2003
Pages: 249
Authors: Andrew Hudson, Paul Hudson
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
Beginning Cryptography with Java
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
A Practitioners Guide to Software Test Design
The Complete Cisco VPN Configuration Guide
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy