User-Friendly Form Validation with PHP and CSS
Subject:   Article Comments and Errata
Date:   2004-04-22 22:07:35
From:   shiflett
I want to make some brief comments and point out a few minor errors.

> A lot of web sites already provide such
> functionality. Unfortunately, these websites
> often have the filename extensions .asp or
> .aspx, and not .php. What a shame. Who says the
> ASP folks down the street should have all the
> fun? In this article, I'll show you how you can
> add such functionality to your PHP forms.
> (Besides, have you ever tried programming in
> ASP? Frankly, PHP is a lot easier!)"

Validating form data is a fundamental activity of Web development, thus any language will suffice. The key is to never rely on client-side validation, as this is as insecure and unrealiable as it sounds.

> Or, if you're sneaky, you might manipulate the
> headers and send the user back to the original
> processlogin.php page.

You mean back to the original login.php page, right?

> There's another way to do it that's a little
> cleaner, and, more importantly, allows you to
> keep your validation code right inside of the
> login.php page.

You're trying to argue that your approach is cleaner, but you don't offer any justification or defense of this statement. I believe that the cleanliness of the approach has almost nothing to do with the URL that the POST request is sent to and almost everything to do with the design of the application that handles and responds to that request.

> header("location: loginsucceeded.php");

The format of the Location header is that it begins with an uppercase L and consists of a single absolute URL. See section 14.30 of RFC 2616 for verification.

As PHP developers, we should adhere to the standards of the Web whenever possible, and using relative URLs in Location headers has also been known to cause problems with certain browsers (cookies not being included in the GET request for the new URL).

> $urlname = urlencode($$_POST['username']);

If $_POST['username'] is chris, then this will attempt to URL encode the value of $chris. Was the second $ intended?

If not, there is also the problem that the form doesn't include an element named username. Perhaps this was meant to be as follows:

$urlname = urlencode($_POST['name']);

In an article about data validation, it might be good to also point out that the thankyou.php script should treat $_GET['username'] as tainted data (this would be true even if proper validation was performed on $_POST['name'] in this example, which would have been a good idea as well).

> thankyou.php?&username=$urlname

I believe the & is unintentional here.

Anyway, I hope these comments are helpful.