Variable Filtering & Form Validation in PHP

in Development

Forms are common in most all web applications, since we need them so a user can interact with the application. They do this by submitting data through the form so that we can manipulate it as needed and perhaps store it to a datastore.

However we use the form data in the application, there is one thing we can be sure of: We can never trust the data from the form to be what we want. A user can enter anything into a form, including potentially harmful data (whether intentionally or not). If a user submits an email address that is improperly formed, they might not get your promotional emails or be able to reset a password. Worse yet, they could enter malicious data into the form that could reveal data about other users, bring down the site, or much worse.

Bottom line: We must never trust data from a form to be what we expect it to be. This is where form validation will save us.

Form validation can be implemented in several different ways. Here, I’ll show you an example of variable filtering, where we’ll look at a variable in the php interactive shell to test that it is the type of data we want. (For a more in-depth look at form validation, play through our new PHP course, Close Encounters With PHP.)

To get started, open a terminal to the computer or container that you have PHP installed on.

If you have it on your local machine, you should be able to run the following command:

php -a

I’m using Docker as a development environment, so I’ll use exec with docker-compose to run the same php -a command.

docker-compose exec php php -a

Either method should bring you to a interactive shell, which will look like this:

Interactive mode enabled

php >

From here, we can create our variable called $url and set it equal to the string value 'http://codeschool.com/'.

php > $url = 'http://codeschool.com';

Even in the interactive shell, make sure to end all your lines in a semicolon to tell the shell you are done with the line. Otherwise, the interpreter will expect a multi-line statement.

We can make sure the variable is what we expect by echoing the variable.

php > echo $url;
http://codeschool.com

In order to test a variable, we are going to use a built-in php function named filter_var. This function will take two arguments: The first is the variable to filter, and the second is a filter to test against.

PHP offers us several validation filters to test against in the form of constants. You can find all of the validate filter constants in the PHP manual. We will be working with a constant specifically for testing URLs named FILTER_VALIDATE_URL.

So to test our URL with filter_var, we’ll enter the following:

php > echo filter_var($url, FILTER_VALIDATE_URL);
http://codeschool.com

I’m adding an echo on the front of filter_var so that we might see the result of the function. If the variable that is filtered is correct, the function will return the variable value — otherwise, it will return a boolean false.

Let’s change the variable to something invalid and run the code again, and since echo will not show us a false value, we will need to wrap the filter in a var_dump instead of the echo.

php > $url = 'not a valid url';
php > var_dump( filter_var($url, FILTER_VALIDATE_URL) );
bool(false)

So now that we know we’ll get a boolean false on failure and the actual value of the variable on pass, we can use this in a conditional!

php > if( filter_var($url, FILTER_VALIDATE_URL) === false ) {
php { echo 'The url you entered is not valid, please try again.';
php { }
The url you entered is not valid, please try again.

Here, I have used a multi-line statement in the interactive shell. Note how the prompt of > has changed to { to let me know where I am inside the control structure.

I hope you enjoyed this little taste of variable filtering in PHP. If you want to learn even more about validation and forms in PHP, be sure to play our Close Encounters With PHP course, and let us know how you’ve used PHP in the comments below!

Code School

Code School teaches web technologies in the comfort of your browser with video lessons, coding challenges, and screencasts. We strive to help you learn by doing.

Visit codeschool.com

About the Author

Hampton Paulk

Hampton Paulk

Hampton began learning and creating in the digital realm over 15 years ago and enjoys helping students improve and work toward their goals. When he’s not working on the computer, you’ll find him spending time with his family, hopefully outdoors, enjoying life’s simple pleasures.

Might We Suggest