Printer Friendly Version

Have a question about this article, object-oriented programming, or PHP? Visit Intranet Journal's Discussion Forum

When Keats wrote "There is not a fiercer hell than the failure in a great object," he probably wasn't referring to the objects that make up the content management system we've been developing in this series. A testament to his forethought, if a component of our system fails then it won't be a good thing, which is why this month we'll be adding some rudementary code for validation and error handling. We'll then go on to creating the categorization system for articles stored on the system.

Validation

There are two main reasons for validating a user's input, the first being security. Let me give you a quick example of how things can go wrong.

Let's say I have a query that searches the database for a value provided by the user. The query code would look something like:

$thequery = 'SELECT * FROM products WHERE name = "'.$HTTP_POST_VARS['uservalue'].'"';
$connector->doQuery($thequery);

The query is compiled from a string (SELECT...), and the user's input ($HTTP_POST_VARS...), before being executed. If the user searches for "waffles," then the query executed will be:

SELECT * FROM products WHERE name = "waffles"

And all is well in the world. However, if your system is accessed by someone a little less pleasant (such as a 13-year-old hacker on school vacation), malicious code could be inserted in place of the word "waffles." The best way to protect your system against this type of attack (called query injection) is to check that all input from the user is in the format you expect. It's difficult, if not impossible, to be 100 percent safe, but we can do our best.

The second reason for validation is convenience and error handling. For instance, if you have a form asking for a telephone number, you don't want the user to be able to insert letters by mistake. Likewise, you may wish to check that dates have been entered correctly, or a ZIP/ postal code is valid.

The Solution: a Validator Class

The idea is to create a Validator class that we can call everytime we need to deal with user input. It'll check whether the given input is safe and correct, and if not it will display an error.

To begin with, we'll create the framework for a 'Validator' class:

<?php
require_once 'SystemComponent.php';
class Validator extends SystemComponent {

     var $errors; // A variable to store a list of error messages
     ...
}
?>

There are a few basic types of data we may need to validate:

•  General: Just check something was typed in
•  Text Only (i.e., no punctuation or other symbols allowed)
•  Text Only and no white spaces allowed
•  E-Mail addresses
•  Numbers
•  Dates

We'll need to write a method for each of these. (A method is a chunk of code that performs a task, which we put inside the class.) I'll give an example of one here, the rest can be found in the source file at the end of the article.

function validateNumber($theinput,$description = ''){

if (is_numeric($theinput)) {

return true; // The value is numeric, return true

}else{

$this->errors[] = $description; // Value not numeric! Add error description to list of errors
return false; // Return false

}

}

This method is very simple. It takes the data from the user as input (storing it in $theinput), as well as a message to display if validation fails. It then tests $theinput, and if it's a number returns "true." This will tell our system to move along and not get concerned. If the value turns out not to be numeric, the error message is stored in the variable $errors, which we created in the previous code snippet, above.

Once we've created methods for each of the data types required, only two more methods are needed. The first will allow us to check whether any errors have occurred, and the second returns a list of errors (if there were any). These are both quite straight-forward, and can be found in the source file at the end of the article.

So how do we use our new class with a form? It's simple. Let's say we've created a form to add an e-mail address to a mailing list. There are two text boxes in the form — one for the user's e-mail address, the other for the maximum number of messages they wish to receive per week. Here's how it works:

<?php
// Gather the data from the form, store it in variables
$userEmail = $HTTP_POST_VARS['email'];
$maxMessages = $HTTP_POST_VARS['maximum'];

// Create a validator object
require_once('includes/Validator.php');
$theValidator = new Validator();

// Validate the forms
$theValidator->validateEmail($userEmail, 'Email Address');
$theValidator->validateNumber($maxMessages, 'Maximum number of messages');

// Check whether the validator found any problems
if ($theValidator->foundErrors() ){

// The were errors, so report them to the user

echo 'There was a problem with: '.$theValidator->listErrors('<br>'); // Show the errors, with a line between each

}else{

// All ok, so now add the user to the mailing list

}

?>

By checking that the user's input was valid, we've reduced a number of security risks, prevented incorrect entries in our database, and helped the user if they've forgotten to fill out any part of the form. We can now integrate this into all of our Intranet's forms, and move on to some more creative stuff...