NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP Form Validation

Aaron Fischer agfische at email.smith.edu
Thu Sep 1 12:52:51 EDT 2005


If the $_POST['var'] doesn't have a value or hasn't been created, 
nothing is outputted, so the form just has value="" in the html form.  
Nothing wrong with that as far as I know.  I use something similar in my 
forms, haven't run into any problems.

-Aaron


Cliff Hirsch wrote:

> PHPBuilder just posted this article: PHP Form Validation System: An 
> Object-Oriented Approach
> See: http://www.phpbuilder.com/columns/weiner20050831.php3 
>  
> Beside the primary validation content, the article uses the following 
> example, which I often see:
> <input type="text" name="email" value="<?=$_POST['email']?>" /> 
>  
> I often wonder (but not when I'm with my wife) what the pros and cons 
> are of using value= $_POST['something'] versus value = $fresh_variable.
>  
> First, can't $_POST['email'] create an error, since on first pass, the 
> 'email' key would not exist.
>  
> Second, how do you set default values? You would be setting the Post 
> array, which changes the source of the value from a form post to a 
> program. Doesn't seem right to me.
>  
> Third, if you do want to "scrub" the input, that implies modifying 
> $_POST['something'], which is in direct conflict with Chris 
> Shiftlett's $clean_array approach. Ok, so what's the harm in letting a 
> user send him/herself a potential <nastystuff> script -- still seems 
> wrong to me.
>  
> Comments?
>  
> Cliff Hirsch





More information about the talk mailing list