Logic behind validating form info with PHP

Question

Im trying my first form validation with PHP.

I need some guidance with the logic.

I have purchase.php (which has the form) and review-purchase.php(which sets SESSION variables and displays the user data inputted)

If any of the fields fail validation I don't want the user to get to review-purchase.php

Should I be sending the user to the review-purchase.php script, checking validation there and then redirecting back the purchase.php with an error message?

or

should I be using an if/else statement with $_SERVER['php_self'] etc in the form action="" and keep all the validation on the purchase.php page itself and only letting purchase-review run if everything passes validation?

Sorry for the confusing question but i myself am very confused...

Answer 1

That's a question many people ask themselves, and there is probably not one right answer...

What I generally do, in your case, is :

• purchase.php displays the form
• that form posts on itself (ie, purchase.php)
• when data has been submitted, it is dealt with -- still in purchase.php
  • if there is an error (like something not OK in the input), you can re-display the form really easily, this way : you already have every values that were typed in by the user
  • if there is no error, you can do whatever you have to with the data ; like set it in session, if that's what you need, or save it to database, for instance.
• only when everything was OK (data validation OK and storage OK), you redirect to "confirm.php"
  • that confirmation page does nothing except display a message saying "thanks for your purchase", or something like that.

It means putting more stuff in your purchase.php, yes :

• (re-)displaying of the form
• dealing with the input

But, this way, it is really easier to re-display the form, pre-filled with what the use first typed, when there's a validation error.

You can use functions/classes/methods or even some included files, though, to not end up with one big chunk of un-readable / un-maintenable code...

If your form posts to another page, it'll be really harder to re-display the form... If you are using redirections, you'll to pass everything in the URL, and it'll be a mess (And there's a size limit, too)

Here, it means I would totaly remove your review-purchase.php file ; and transform it to a confirmation page, so the user knows everything was OK and his purchase is being take care of.

I suppose it's quite what you meant in your last paragraph, actually :-)

Just beware : you have to think about escaping data before injecting it back into the form (see htmlspecialchars and/or htmlentities) ; that is true for everything you get from the user *(And, probably, for PHP_SELF too, I'd say)* ;-)

Answer 2

The most common way of doing this would be to do all your validation checks in purchase.php. This way, if there are validation errors, it's easier to re-display the form with all of the information that the user has already entered.

If the validation passes, you can do a redirect to review-purchase.php with the necessary purchase information set in a database, or possibly $_SESSION if you're not using a database.

If you can separate the validation code into functions, and the display code into templates to be included, you can achieve a nice separation of logic that would allow you to use them from whichever file you go with. You might be able to avoid a redirect in that way, ie. in purchase.php you could check if there's $_POST input, validate it, and either re-display the form template, or display the purchase review template.

Answer 3

Well, it seems you have a misconception about where and when PHP code is executed. If you want to validate user input on the server side - with PHP (and you should because any JavaScript validation on the client can be worked around by a nefarious user) - the PHP validation can only occur after the user has posted data. That is no matter to which page the user posts the data - be it the original form or a different page.

So, in your situation if you want users to go to a page if validation is successful and to a different page is validation fails yo will need to do a redirect anyway.

In this case you have two paths:

• user requests Purchase.php and fills out the form
• user posts data to validation page
• if data is valid -> display purchase review information
  else -> re-display form page and have user re-enter data

So if Purchase.php posts to itself, you can validate there and redirect to review.php only if data is valid. Which means that in the successful case you do 2 redirects and in the failed case you do only 1 post.

On the other hand, if you post directly to review.php and you validate there, you have 1 post in the successful case, and 2 in the failed case.

The above is true no matter how you spin it - unless you use the same URL for the form and the review, in which case you can put logic in the same place to do the form, validation and purchase review in the successful case.

I hope this helps.