Data validation in PHP

Update: I have a new post that explains data sanitization.

One of the most important things to do in any PHP script or program, interface whatever it may be is to check the data and verify it’s what YOU want and not allow any spoofs. One of the biggest most common pitfalls newer programmers make (and for some reason, PHP programmers) is the lack of data validation. There is a known rule of program and it, simply put is:

NEVER TRUST USER SUBMITTED DATA – BAR NONE.

I get responses like “You’re too uptight about security” or “Yeah well then how’s the site supposed to work if you never take user submitted data?” Both can be true, but the latter is simple. Just check the data, what’s so friggin’ hard about that? The most commonly checked type of data seems to be an Email address with all of its quirks and workarounds it’s hard to verify whether or not an email address is real. Mind you data validation isn’t always just about malicious MySQL injection attemps or XSS (Cross site scripting) it can even be as simple as verifying a blog for bad links/language.

Usually I use pre-build functions (or class methods) to verify data integrity returning true/false for qiuck usability.

You don’t have to know Regex to be good at data validation but, you can’t really go very far without it. There are lot sof pre-built functions in PHP to verify what kind of content data is. Okay, enough talking, lets get to some code.

Here’s a few built-in PHP functions that can save you some time

• ctype_digit() – checks for numeric characters like 123 etc
• ctype_alpha() – checks for letters of the alphabet
• ctype_xdigit() – checks for characters representing a hexadecimal digit
• ctype_alnum()  – checks for alpha numeric characters

Some other built-in functions

• is_array() – checks if a variable is an array
• is_int() – checks if a variable is an integer
• gettype() - returns the type of a variable
  Fore more of these functions go to php.net/is_int
  Also look at this page

For more of these functions, or any functions in general you can visit one of the most resourceful sites you’ll end up visiting php.net. I should also mention that if you haven’t read the PHP manual please do, they made it for a reason. It has almost everything you’ll ever need and if you’re running windows there is an awesome windows .CHM manual you can download that is searchable. It’s a great reference. Anyway, no more tangent.

These functions are built directly in to PHP so you don’t have to recode a lot of stuff, now, I will say, they don’t exactly do everything you want them to do, granted; but they’re a start.

Note – anytime you want to lookup a function just go to php.net/function to look it up. PHP automatically will return the corresponding page if there is one for that function/topic.

Anyways, back to data validation.

Like I said earlier, some things just aren’t built-in to PHP quite yet, like email validation, or content validation or whitespace checking. Regex (as it is commonly referred to) is a method in which you can check for literally any type of value.

I will write a followup article on Data validation with Regular Expressions in PHP after this one, I just thought people should know aside from writing their own data validation methods, PHP has a couple handy built-in functions.

Related reading

• How to fix the __PHP_Incomplete_Class Object error in PHP $_SESSION’s (6)
• Dr. Myspace – Create RSS Feeds From Myspace Artist Tour Dates (1)
• Using PHP and Simple HTML DOM Parser to scrape artist tour dates off MySpace (5)
• Email Address Validation in PHP (0)
• Crop an Image with PHP (2)
• Data sanitization in PHP (1)
• Templates & PHP together in harmony (3)
• Profiling your PHP scripts (performance benchmark) (0)
• require() or include() with PHP? (0)
• “Quotations” & Concatenation in PHP (3)