[nycphp-talk] PHP Form Validation
Aaron Fischer
agfische at email.smith.edu
Thu Sep 1 12:52:51 EDT 2005
If the $_POST['var'] doesn't have a value or hasn't been created,
nothing is outputted, so the form just has value="" in the html form.
Nothing wrong with that as far as I know. I use something similar in my
forms, haven't run into any problems.
-Aaron
Cliff Hirsch wrote:
> PHPBuilder just posted this article: PHP Form Validation System: An
> Object-Oriented Approach
> See: http://www.phpbuilder.com/columns/weiner20050831.php3
>
> Beside the primary validation content, the article uses the following
> example, which I often see:
> <input type="text" name="email" value="<?=$_POST['email']?>" />
>
> I often wonder (but not when I'm with my wife) what the pros and cons
> are of using value= $_POST['something'] versus value = $fresh_variable.
>
> First, can't $_POST['email'] create an error, since on first pass, the
> 'email' key would not exist.
>
> Second, how do you set default values? You would be setting the Post
> array, which changes the source of the value from a form post to a
> program. Doesn't seem right to me.
>
> Third, if you do want to "scrub" the input, that implies modifying
> $_POST['something'], which is in direct conflict with Chris
> Shiftlett's $clean_array approach. Ok, so what's the harm in letting a
> user send him/herself a potential <nastystuff> script -- still seems
> wrong to me.
>
> Comments?
>
> Cliff Hirsch
More information about the talk
mailing list