On Sun, 2008-12-07 at 17:36 +1030, Michael Kubler wrote: > I agree with Nathan. > Always do server side validation, and if you have the skills, time, or > are being paid then add javascript validation to make the user > experience better. > I have a general contact form which checks the input server side (PHP) > and if there's something wrong then it indicates as such, and shows the > user their input, with the errors and why (e.g not a valid email > address, etc..). > If it was for anything larger than about 10 fields per page, then > javascript validation can be useful. > > Slightly off topic, but does anyone know of an easy way of checking user > input like the PHP filter_var() function? > I've seen plenty of libraries for AJAX, and the like (Prototype, jquery, > etc), but haven't run across any for standard form input validation. > > Thanks. > > Michael Kubler* > * <http://www.greyphoenix.biz> > > > > Nathan Rixham wrote: > > where as I think validation always needs to happen at the server side; > > each application or script should be self contained, it needs to check > > that the data it recieves is valid before working with it; if it is > > not valid it needs to inform the system that sent it the data is not > > valid. > > > > The system that sent it in this case is the html output; so you need a > > method of displaying errors in the html. > > > > That is the bare minimum and always needed. > > > > As for making the experience nicer; javascript is good for this; it > > can be used to pre-validate input on the way in to the system; but > > should not be relied upon as it can be turned off, stop functioning > > due to another faulty javascript on the page or simply not be > > supported by the client. You still need the server side validation > > though. > > > > So.. more of a case of always validate server side; and should / do > > you want to use javascript validation in addition. > > > > IMHO :p > I put a small one together using regular expressions, http://www.ashleysheridan.co.uk/coding_php_validation.php I tend to use it for all my projects where I need to validate the user input. It uses a whitelist-style approach rather than a blacklist style (i.e. it has an allowable entry format rather than checking to see if certain characters don't exist in it) which has had the added benefit of preventing an SQL injection attack that I've seen as well. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
