« How to make a PHP calendarDate and time formatting with PHP »

PHP validation and verification Posted in PHP Tutorials | 60 Comments
Today we are going to review a very important part of the development process of a web application. The validation of users input. This is one the trickiest parts of any application at all. Why is that? Because the developer doesn't control it. You can write the best algorithm in the world, but still if it includes user input there is a place for mistakes. Even if we put some coplicated logic to prevent the input of wrong symbols, check the consistence of the data and do whatever possible to make sure that it is all OK, there is still possibility that the users enter the wrong number. Though all said, we must try to prevent the most of human errors and the best way to do this is by using Regular Expressions.

Basicly Regular Expressions are used for string matches. They are based on search and pattern matching strings in text. A lot of books are written about them, there are even some programming languages designed especially for Regular Expressions. But today we are just going to take a brief look at how regular expressions can help us with user input. First of all I suggest that you get familiar with some basic concepts of the language. It's syntax is fully explained in PHP Manual --> Pattern Syntax.

Now let's get to work. I'll present some of the most common problems with user input. I'm pretty sure that you met most of them if not all. We are going to create a registration form with required input fields. They are as follows:
- Full Name
- Address
- Passport
- Email
- Phone
- Zip code
- Date
- Username
- Password

Here is the test form that we will use PHP validation example (download here http://static.phpjabbers.com/files/tutorials/verification.zip)

We have to define some variables that will hold our error messages. Their values have to be cleared every time we reload our page.

$errName = "";
$errAddress = "";
$errEmail = "";
$errPassport = "";
$errPhone = "";
$errZip = "";
$errDate = "";
$errUser = "";
$errPass = "";


There are two ways to use regular expressions in php. One is the true PHP style in which case we have to use ereg() function and the other is to use Perl style syntax for our validations. In this case we have to use preg_match() function. In this tutorial we will use preg_match() because it is faster in most cases and also supports the most common regular expression syntax. It also gives us more capabilities, that we can use.

We will start with validation of the name of the user. We will allow only letters, space and a dash. So we create our regexp (Regular Expression). We will make a class for our possible values. The class is created when we enclose some symbols in parences. This is our class:

[a-zA-Z -] Our class includes all letters between a-z (all lower case letters), A-Z (all upper case letters), space and a dash.

Now we have to set this class to apply for every character that we enter. So we add a (+) plus sign after our class definition. We are still missing something. We have not defined the range of our validation test. We have to set which part of the text we are validating. If we don't do this our regular expression will be satisfied if it finds even one match in the characters that we enter, which is of no use for us. How do we do this? We put our string between /^$/ start and end characters. "^" means the start of the line and "$" means the end of it. We are ready to build our regexp.

/^[a-zA-Z -]+$/ The forward slash is used by preg_match to define the start and the end of our regexp.

Now we are finished, are we? There is just one more thing to do. The way that we defined our class allows the user to enter dash at the begining of the name. This is something we want to prevent. So we have to add something to our regexp, so it will disallow this.

[A-Z] We define a new class for the first letter of the user name. It can contain only upper case letters.

Now we combine what we have done so far, to get the final result. The return of preg_match() is 0 if there isn't a match. In that case we have to set our error variable, so we can show some meaningful message to the user.

/^[A-Z][a-zA-Z -]+$/

// Full Name must contain letters, dashes and spaces only and must start with upper case letter.
if(preg_match("/^[A-Z][a-zA-Z -]+$/", $_POST["name"]) === 0)
$errName = '<p class="errText">Name must be from letters, dashes, spaces and must not start with dash</p>';


Let's move forward to the next valitaion field, which is going to be the address. Not much to do here, because it can contain a lot of symbols. We just have to define one class that hold them all.

/^[a-zA-Z0-9 _-.,:"']+$/
We translate this regexp as: From the begining to the end of the address string check if our character is one of the following a-z, A-Z, 0-9, space, underscore, dash, dot, comma, semicolons, double and sigle quotes. You can add any character that you think may be part of an address. The thing to notice here is that when we have quotes we have to put an escape character before them.

// Address must be word characters only
if(preg_match("/^[a-zA-Z0-9 _-.,:"']+$/", $_POST["address"]) === 0)
$errAddress = '<p class="errText">Address must be only letters, numbers or one of the following _ - . , : " '</p>';


Our next task is to create a regexp for email validation. Here we are going to include another future of the expressions which is constans that represend predefined classes. Here is a list of those that we will use:

w = [0-9A-Za-z_] Class includes digits, letters and underscore character.
d = [0-9] Class includes only digits

These constants save a lot of typing and make source code easier to read and understand. What is the mask for an email? The first part the username can contain letters, digits, dots and underscore character. It has to begin with letter and if we have dot it must be followed by letter. Then it must be followed by @ sign and again the first part. At the end we must have a dot followed by 2 to 4 letters. Whenever we have a character that has special meaning in regexp and we want to use it as character, we have to escape it with backslash.

// Email mask
if(preg_match("/^[a-zA-Z]w+(.w+)*@w+(.[0-9a-zA-Z]+)*.[a-zA-Z]{2,4}$/", $_POST["email"]) === 0)
$errEmail = '<p class="errText">Email must comply with this mask: chars(.chars)@chars(.chars).chars(2-4)</p>';


The next string for validation is passport. It can contain only numbers and be 10 or 12 digits. But how we set how many characters we want. We put the desired number of characteras in parences {} and our regexps will look like this /^d{10}$/ and /^d{12}$/. How we combine these two expressions so that we use either one or the other. We use OR. It's sign is "|". Our statement is complete /^d{10}$|^d{12}$/.

// Passport must be only digits
if(preg_match("/^d{10}$|^d{12}$/", $_POST["passport"]) === 0)
$errPassport = '<p class="errText">Passport must be 10 or 12 digits</p>';


I will present a phone mask. It can be a lot different, but it is simle enough to be easily customized. You just have to define the number of diggits in every part of the phone number and choose a delimiter. It can be any symbol you want. Zip code is also very easy to implement.

// Phone mask             1-800-999-9999      
if(preg_match("/^d{1}-d{3}-d{3}-d{4}$/", $_POST["phone"]) === 0)
$errPhone = '<p class="errText">Phone must comply with this mask: 1-333-333-4444</p>';
// Zip must be 4 digits
if(preg_match("/^d{4}$/", $_POST["zip"]) === 0)
$errZip = '<p class="errText">Zip must be 4 digits</p>';


Now we will make date mask. It will look like this: YYYY-MM-DD. Our date will be made only by diggits. You already now how to set the lenght of the year, but the month and day can be between 1 and 2 diggits in lenght. We set this by separating the two values by comma {1,2}. This means that all the numbers in this interval are valid value.

// Date mask YYYY-MM-DD
if(preg_match("/^[0-9]{4}-[0-9]{1,2}-[0-9]{1,2}$/", $_POST["date"]) === 0)
$errDate = '<p class="errText">Date must comply with this mask: YYYY-MM-DD</p>';


The last thing to check in our registration - validation form is for username and password of our user. Username can be any string that consist of letters, diggits and uderscore character ( "w" predefined class). We want the username to be at least 5 chars long. This is accomplised by this statement {5,}. The missing value after the comma means that it can be of any value equal or bigger that 5.

// User must be digits and letters
if(preg_match("/^[0-9a-zA-Z_]{5,}$/", $_POST["user"]) === 0)
$errUser = '<p class="errText">User must be bigger that 5 chars and contain only digits, letters and underscore</p>';


A good password is the hardest thing to check for. To pass a validation test it must contain at least one lower case letter, one upper case letter and one digit. This will make it hard to break. A thing to know before we start - the dot represents any character. For our purpose we have to make some groups that represent the password. They are defined using the parences (). Each group will check for a particular condition. The first one will check the lenght of our string. It must be equal or bigger than 8. ?= is called a possitive lookahead. A positive lookahead says "the next text must be like this and follow these rules." So when we take the "next text" it must be of the type ".{8,}". We declare our first regexp condition as (?=.{8,}). It states that our string must be equal or bigger that 8 and can contain any character. The second rule that we want to apply to the password is to contain at least one diggit. Again we take our string and check it against our condition (?=.*[0-9]). Similarly we do the other conditions. One is for lowercase letters and the other is for uppercase letter (?=.*[a-z]) (?=.*[A-Z]). This is the minimal requirements for our password. The user may want even stronger password. So we add ".*" at the begining and at the end of the password. This means that any number from 0 to more can be inserted.

// Password must be strong
if(preg_match("/^.*(?=.{8,})(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z]).*$/", $_POST["pass"]) === 0)
$errPass = '<p class="errText">Password must be at least 8 characters and must contain at least one lower case letter, one upper case letter and one digit</p>';
}


This concludes our tutorial. You see what a powerfull tool regular experessions are and how they can help us in form input verifications. They are way more complex than what you see here, but knowing at least the basics is essential. So get those heavy books and start reading. I hope that those examples help you with your work.

Do you know PHP / HTML / CSS / JS well?

Write tutorial on a topic you are good in and become a trusted PHP jabber! Share your experience with millions of other webmasters visiting our website. Contact us for more information how to become a contributor.

60 Replies to "PHP validation and verification"

Jigar Bhatt April 22, 2014 at 1:05 pm | Reply

+1

how to validate multiple textbox in registration form in php???
sundar March 6, 2014 at 12:38 pm | Reply

+1

Nice tutorial. Useful coding. Its great to finally find a tutorial that explains in detail whats what. thanks for taking the time to share. I am learn for many information about your article. Thanks for sharing this information. dreamdestinations.in
kulwinder February 18, 2014 at 5:32 am | Reply

+3

plz tell how validate multiple checkbox,radio button and also retain value.........:p
lucia February 14, 2014 at 7:37 pm | Reply

+1

Really a nice tutorial ,,,,, !!!
Halbi Hamza December 26, 2013 at 2:57 pm | Reply

+3

nice tutorial thank u man :)
sumit December 19, 2013 at 8:55 pm | Reply

+2

very good about all ...........
Juan Pendino December 12, 2013 at 2:34 am | Reply

+3

Hi!!!

The $_SERVER["PHP_SELF"] variable can be used by hackers!

If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute.

Read this: http://www.w3schools.com/php/php_form_validation.asp
harshavardhan p November 15, 2013 at 12:35 pm | Reply

+6

AM a beginner in PHP am doing an web application front end is PHP and back end is MYSQL.
Am having a problem with validation. When am posting the data into table it is not validating the form. When am removing the connection with database i.e., when am not loading any data just checking the data then it is just validating the page perfectly. I dont where i went wrong Can you people give any suggestions
nadia October 24, 2013 at 5:46 pm | Reply

+5

Nice tutorial. Its great to finally find a tutorial that explains in detail whats what. thanks for taking the time to share.

Im using the coding for my final year project but its not working. Could you guys by any chance help me a girl out? :)
Toby October 24, 2013 at 12:35 pm | Reply

+4

Nice tutorial and pretty well explained.

But one big thing missing is a final summary to look at in case of misunderstandings.
Tutor should offer a package to DL.

Greetz

Toby


Please be polite and helpful and do not spam or offend others. We promise you will be treated the same way.

Log in your free account or if you still haven't joined you can create your free account now.

Posting tip:
if you use code in your comments please put it in these tags [php], [sql], [css], [js]
PHP code example: [php] echo date("Y-m-d"); [/php]

Thank you,
~ PHPJabbers team ~