- PHP Tutorial
- 157 comments
PHP validation and verification
- Tuesday, 6th December, 2011
- PHP Tutorials
- 75 Comments
Today we are going to review a very important part of the development process of a web application. The validation of users input. This is one the trickiest parts of any application at all. Why is that? Because the developer doesn't control it. You can write the best algorithm in the world, but still if it includes user input there is a place for mistakes. Even if we put some complicated logic to prevent the input of wrong symbols, check the consistence of the data and do whatever possible to make sure that it is all OK, there is still possibility that the users enter the wrong number. Though all said, we must try to prevent the most of human errors and the best way to do this is by using Regular Expressions.
Basically Regular Expressions are used for string matches. They are based on search and pattern matching strings in text. A lot of books are written about them, there are even some programming languages designed especially for Regular Expressions. But today we are just going to take a brief look at how regular expressions can help us with user input. First of all I suggest that you get familiar with some basic concepts of the language. It's syntax is fully explained in PHP Manual --> Pattern Syntax.
Now let's get to work. I'll present some of the most common problems with user input. I'm pretty sure that you met most of them if not all. We are going to create a registration form with required input fields. They are as follows:
- Full Name
- Address
- Passport
- Email
- Phone
- Zip code
- Date
- Username
- Password
Here is the test form that we will use PHP validation example (download here //cdn.phpjabbers.com/files/tutorials/verification.zip)
We have to define some variables that will hold our error messages. Their values have to be cleared every time we reload our page.
There are two ways to use regular expressions in PHP. One is the true PHP style in which case we have to use ereg() function and the other is to use Perl style syntax for our validations. In this case we have to use preg_match() function. In this tutorial we will use preg_match() because it is faster in most cases and also supports the most common regular expression syntax. It also gives us more capabilities, that we can use.
We will start with validation of the name of the user. We will allow only letters, space and a dash. So we create our regexp (Regular Expression). We will make a class for our possible values. The class is created when we enclose some symbols in brackets. This is our class:
[a-zA-Z -] Our class includes all letters between a-z (all lower case letters), A-Z (all upper case letters), space and a dash.
Now we have to set this class to apply for every character that we enter. So we add a (+) plus sign after our class definition. We are still missing something. We have not defined the range of our validation test. We have to set which part of the text we are validating. If we don't do this our regular expression will be satisfied if it finds even one match in the characters that we enter, which is of no use for us. How do we do this? We put our string between /^$/ start and end characters. "^" means the start of the line and "$" means the end of it. We are ready to build our regexp.
/^[a-zA-Z -]+$/ The forward slash is used by preg_match to define the start and the end of our regexp.
Now we are finished, are we? There is just one more thing to do. The way that we defined our class allows the user to enter dash at the beginning of the name. This is something we want to prevent. So we have to add something to our regexp, so it will disallow this.
[A-Z] We define a new class for the first letter of the user name. It can contain only upper case letters.
Now we combine what we have done so far, to get the final result. The return of preg_match() is 0 if there isn't a match. In that case we have to set our error variable, so we can show some meaningful message to the user.
/^[A-Z][a-zA-Z -]+$/
Let's move forward to the next validation field, which is going to be the address. Not much to do here, because it can contain a lot of symbols. We just have to define one class that hold them all.
/^[a-zA-Z0-9 _-.,:"']+$/
We translate this regexp as: From the beginning to the end of the address string check if our character is one of the following a-z, A-Z, 0-9, space, underscore, dash, dot, comma, semicolons, double and single quotes. You can add any character that you think may be part of an address. The thing to notice here is that when we have quotes we have to put an escape character before them.
Our next task is to create a regexp for email validation. Here we are going to include another future of the expressions which is constant that represent predefined classes. Here is a list of those that we will use:
w = [0-9A-Za-z_] Class includes digits, letters and underscore character.
d = [0-9] Class includes only digits
These constants save a lot of typing and make source code easier to read and understand. What is the mask for an email? The first part the username can contain letters, digits, dots and underscore character. It has to begin with letter and if we have dot it must be followed by letter. Then it must be followed by @ sign and again the first part. At the end we must have a dot followed by 2 to 4 letters. Whenever we have a character that has special meaning in regexp and we want to use it as character, we have to escape it with backslash.
The next string for validation is passport. It can contain only numbers and be 10 or 12 digits. But how we set how many characters we want. We put the desired number of characters in brackets {} and our regexps will look like this /^d{10}$/ and /^d{12}$/. How we combine these two expressions so that we use either one or the other. We use OR. It's sign is "|". Our statement is complete /^d{10}$|^d{12}$/.
I will present a phone mask. It can be a lot different, but it is simple enough to be easily customized. You just have to define the number of digits in every part of the phone number and choose a delimiter. It can be any symbol you want. Zip code is also very easy to implement.
Now we will make date mask. It will look like this: YYYY-MM-DD. Our date will be made only by digits. You already now how to set the length of the year, but the month and day can be between 1 and 2 digits in length. We set this by separating the two values by comma {1,2}. This means that all the numbers in this interval are valid value.
The last thing to check in our registration - validation form is for username and password of our user. Username can be any string that consist of letters, digits and underscore character ( "w" predefined class). We want the username to be at least 5 chars long. This is accomplished by this statement {5,}. The missing value after the comma means that it can be of any value equal or bigger that 5.
A good password is the hardest thing to check for. To pass a validation test it must contain at least one lower case letter, one upper case letter and one digit. This will make it hard to break. A thing to know before we start - the dot represents any character. For our purpose we have to make some groups that represent the password. They are defined using the brackets (). Each group will check for a particular condition. The first one will check the length of our string. It must be equal or bigger than 8. ?= is called a positive lookahead. A positive lookahead says "the next text must be like this and follow these rules." So when we take the "next text" it must be of the type ".{8,}". We declare our first regexp condition as (?=.{8,}). It states that our string must be equal or bigger that 8 and can contain any character. The second rule that we want to apply to the password is to contain at least one digit. Again we take our string and check it against our condition (?=.*[0-9]). Similarly we do the other conditions. One is for lowercase letters and the other is for uppercase letter (?=.*[a-z]) (?=.*[A-Z]). This is the minimal requirements for our password. The user may want even stronger password. So we add ".*" at the beginning and at the end of the password. This means that any number from 0 to more can be inserted.
This concludes our tutorial. You see what a powerful tool regular expressions are and how they can help us in form input verification. They are way more complex than what you see here, but knowing at least the basics is essential. So get those heavy books and start reading. I hope that those examples help you with your work.
Basically Regular Expressions are used for string matches. They are based on search and pattern matching strings in text. A lot of books are written about them, there are even some programming languages designed especially for Regular Expressions. But today we are just going to take a brief look at how regular expressions can help us with user input. First of all I suggest that you get familiar with some basic concepts of the language. It's syntax is fully explained in PHP Manual --> Pattern Syntax.
Now let's get to work. I'll present some of the most common problems with user input. I'm pretty sure that you met most of them if not all. We are going to create a registration form with required input fields. They are as follows:
- Full Name
- Address
- Passport
- Phone
- Zip code
- Date
- Username
- Password
Here is the test form that we will use PHP validation example (download here //cdn.phpjabbers.com/files/tutorials/verification.zip)
We have to define some variables that will hold our error messages. Their values have to be cleared every time we reload our page.
$errName = "";
$errAddress = "";
$errEmail = "";
$errPassport = "";
$errPhone = "";
$errZip = "";
$errDate = "";
$errUser = "";
$errPass = "";
There are two ways to use regular expressions in PHP. One is the true PHP style in which case we have to use ereg() function and the other is to use Perl style syntax for our validations. In this case we have to use preg_match() function. In this tutorial we will use preg_match() because it is faster in most cases and also supports the most common regular expression syntax. It also gives us more capabilities, that we can use.
We will start with validation of the name of the user. We will allow only letters, space and a dash. So we create our regexp (Regular Expression). We will make a class for our possible values. The class is created when we enclose some symbols in brackets. This is our class:
[a-zA-Z -] Our class includes all letters between a-z (all lower case letters), A-Z (all upper case letters), space and a dash.
Now we have to set this class to apply for every character that we enter. So we add a (+) plus sign after our class definition. We are still missing something. We have not defined the range of our validation test. We have to set which part of the text we are validating. If we don't do this our regular expression will be satisfied if it finds even one match in the characters that we enter, which is of no use for us. How do we do this? We put our string between /^$/ start and end characters. "^" means the start of the line and "$" means the end of it. We are ready to build our regexp.
/^[a-zA-Z -]+$/ The forward slash is used by preg_match to define the start and the end of our regexp.
Now we are finished, are we? There is just one more thing to do. The way that we defined our class allows the user to enter dash at the beginning of the name. This is something we want to prevent. So we have to add something to our regexp, so it will disallow this.
[A-Z] We define a new class for the first letter of the user name. It can contain only upper case letters.
Now we combine what we have done so far, to get the final result. The return of preg_match() is 0 if there isn't a match. In that case we have to set our error variable, so we can show some meaningful message to the user.
/^[A-Z][a-zA-Z -]+$/
// Full Name must contain letters, dashes and spaces only and must start with upper case letter.
if(preg_match("/^[A-Z][a-zA-Z -]+$/", $_POST["name"]) === 0)
$errName = '<p class="errText">Name must be from letters, dashes, spaces and must not start with dash</p>';
Let's move forward to the next validation field, which is going to be the address. Not much to do here, because it can contain a lot of symbols. We just have to define one class that hold them all.
/^[a-zA-Z0-9 _-.,:"']+$/
We translate this regexp as: From the beginning to the end of the address string check if our character is one of the following a-z, A-Z, 0-9, space, underscore, dash, dot, comma, semicolons, double and single quotes. You can add any character that you think may be part of an address. The thing to notice here is that when we have quotes we have to put an escape character before them.
// Address must be word characters only
if(preg_match("/^[a-zA-Z0-9 _-.,:"']+$/", $_POST["address"]) === 0)
$errAddress = '<p class="errText">Address must be only letters, numbers or one of the following _ - . , : " '</p>';
Our next task is to create a regexp for email validation. Here we are going to include another future of the expressions which is constant that represent predefined classes. Here is a list of those that we will use:
w = [0-9A-Za-z_] Class includes digits, letters and underscore character.
d = [0-9] Class includes only digits
These constants save a lot of typing and make source code easier to read and understand. What is the mask for an email? The first part the username can contain letters, digits, dots and underscore character. It has to begin with letter and if we have dot it must be followed by letter. Then it must be followed by @ sign and again the first part. At the end we must have a dot followed by 2 to 4 letters. Whenever we have a character that has special meaning in regexp and we want to use it as character, we have to escape it with backslash.
// Email mask
if(preg_match("/^[a-zA-Z]w+(.w+)*@w+(.[0-9a-zA-Z]+)*.[a-zA-Z]{2,4}$/", $_POST["email"]) === 0)
$errEmail = '<p class="errText">Email must comply with this mask: chars(.chars)@chars(.chars).chars(2-4)</p>';
The next string for validation is passport. It can contain only numbers and be 10 or 12 digits. But how we set how many characters we want. We put the desired number of characters in brackets {} and our regexps will look like this /^d{10}$/ and /^d{12}$/. How we combine these two expressions so that we use either one or the other. We use OR. It's sign is "|". Our statement is complete /^d{10}$|^d{12}$/.
// Passport must be only digits
if(preg_match("/^d{10}$|^d{12}$/", $_POST["passport"]) === 0)
$errPassport = '<p class="errText">Passport must be 10 or 12 digits</p>';
I will present a phone mask. It can be a lot different, but it is simple enough to be easily customized. You just have to define the number of digits in every part of the phone number and choose a delimiter. It can be any symbol you want. Zip code is also very easy to implement.
// Phone mask 1-800-999-9999
if(preg_match("/^d{1}-d{3}-d{3}-d{4}$/", $_POST["phone"]) === 0)
$errPhone = '<p class="errText">Phone must comply with this mask: 1-333-333-4444</p>';
// Zip must be 4 digits
if(preg_match("/^d{4}$/", $_POST["zip"]) === 0)
$errZip = '<p class="errText">Zip must be 4 digits</p>';
Now we will make date mask. It will look like this: YYYY-MM-DD. Our date will be made only by digits. You already now how to set the length of the year, but the month and day can be between 1 and 2 digits in length. We set this by separating the two values by comma {1,2}. This means that all the numbers in this interval are valid value.
// Date mask YYYY-MM-DD
if(preg_match("/^[0-9]{4}-[0-9]{1,2}-[0-9]{1,2}$/", $_POST["date"]) === 0)
$errDate = '<p class="errText">Date must comply with this mask: YYYY-MM-DD</p>';
The last thing to check in our registration - validation form is for username and password of our user. Username can be any string that consist of letters, digits and underscore character ( "w" predefined class). We want the username to be at least 5 chars long. This is accomplished by this statement {5,}. The missing value after the comma means that it can be of any value equal or bigger that 5.
// User must be digits and letters
if(preg_match("/^[0-9a-zA-Z_]{5,}$/", $_POST["user"]) === 0)
$errUser = '<p class="errText">User must be bigger that 5 chars and contain only digits, letters and underscore</p>';
A good password is the hardest thing to check for. To pass a validation test it must contain at least one lower case letter, one upper case letter and one digit. This will make it hard to break. A thing to know before we start - the dot represents any character. For our purpose we have to make some groups that represent the password. They are defined using the brackets (). Each group will check for a particular condition. The first one will check the length of our string. It must be equal or bigger than 8. ?= is called a positive lookahead. A positive lookahead says "the next text must be like this and follow these rules." So when we take the "next text" it must be of the type ".{8,}". We declare our first regexp condition as (?=.{8,}). It states that our string must be equal or bigger that 8 and can contain any character. The second rule that we want to apply to the password is to contain at least one digit. Again we take our string and check it against our condition (?=.*[0-9]). Similarly we do the other conditions. One is for lowercase letters and the other is for uppercase letter (?=.*[a-z]) (?=.*[A-Z]). This is the minimal requirements for our password. The user may want even stronger password. So we add ".*" at the beginning and at the end of the password. This means that any number from 0 to more can be inserted.
// Password must be strong
if(preg_match("/^.*(?=.{8,})(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z]).*$/", $_POST["pass"]) === 0)
$errPass = '<p class="errText">Password must be at least 8 characters and must contain at least one lower case letter, one upper case letter and one digit</p>';
}
This concludes our tutorial. You see what a powerful tool regular expressions are and how they can help us in form input verification. They are way more complex than what you see here, but knowing at least the basics is essential. So get those heavy books and start reading. I hope that those examples help you with your work.
Free Scripts
Add great new functionalities to your website with our Free Scripts collection.
PHP Scripts
Check our extensive collection of top-notch PHP Scripts that will enhance your website!
