HTML Form server side validation

Last time I wrote about two validation methods on the client site. I also admit that this kind of validation won’t protect your server from hacker attacks. This because HTML and JavaScript files could be changed by users. So in this post, I show you, how to build a validation function in PHP.

Remove special characters from HTML Form data

One of the well-known attacking ways to force server protection relies on injection code to SQL Base using HTML form. Especially text area fields could be used to send code to the Server. But we are able to prevent this situation very easily. In PHP there is a function called preg_replace(). This function has several parameters:

  • Pattern – here you declare which kind of characters function should replace. To decelerate these characters you should use a regular expression. More about regular expression you will find below;
  • Replacement – here you can put characters that will replace removed characters;
  • Subject – a string that function should check;
  • Limit – you can set how many characters should be replaced (optional there is no limit);
  • Count – you can set a variable, where the function will store how many characters were replaced.

As a return of this function, you will get a new string.

Regular expression

Before I show you how this PHP function can be used, let’s closer look at regular expressions. This allows you to define what kind of characters the function should check. For example, if you want to check if in the string there is a number character, you should write regular expressions in this way /[0-9]/. Each regular expression you start with the “/” character and end in the “/” character. Inside you can put a single character or range like this [0-9]. This range includes all numbers from “0” to “9”.

What’s more, you can put several types of range inside square brackets. In this case, we are interested in excluding special characters but save all others. To do this, we need to use a negation declaration. To do this you should use the “^” sign. Finally regular expression should look like this: /[^a-zA-Z0-9 ]/. Space between “9” and “]” added space character to a regular expression.

Finally, the function should look like this:

$cleanString = preg_replace(‘/[^a-zA-Z0-9 ]/’, ‘’, $_POST[‘textString’]);

How this line of code works? First of all, the function takes a string of characters and removes from this string all special characters. The only letter is acceptable (big and small), numbers and spaces. In a stand of special characters function will return no character. In this line of code, this is set as the second parameter of function preg_replace.

Now there is only one big question: how to allows users to use special characters in the password field? This is a good question and I’m not sure if hashing password using, for example, the sha1() function is enough to protect the server from hacking via injection method. Of course, hashing function will change characters into a hexadecimal string but I’m not a security master and perhaps this is not enough.

How to display errors on the server site in HTML?

When something goes wrong on the server-side, it will be good to display an error message to the user. To do this you need to set an if-else statement depends on how you build a clearing mechanism. In relation to the first and last name fields, I used the preg_replace function. I set that this function clear all characters that didn’t match to (a-zA-Z) regular expression setting. I also use the “count” mechanism of this function to display errors when the function deleted even one element.

HTML form fields to check first name and surname value

To check the login field I use several functions. First I remove spaces using the trim function, then I check if the login has at least 5 letters. In the end, I check if the regular expression is fulfill using the preg_mach function. This function return TRUE or FALSE depends on the condition that was set.

HTML form login filed checking code

In the password field, I only remove spaces and add hashing method. In the email field, I deleted spaces and HTML special characters.

HTML form password and email fields checking code

Lastly, I build an if-else statement that displays again forms when the error value is not null. To do this I used previous build HTML code, but add some additional elements.


At the top of the website I want to display an error message, so I use a paragraph and insert into this paragraph variable error. What’s more, I can insert values previously added by the user to fields using value attribute and PHP variable.

HTML form built by PHP code

Summarizing now you have a three-step validation HTML form for users. In most situation, this is enough, but remember hackers are always one step ahead of you and you need to keep a hand on pulls to keep you site secure.

No comments
Krzysztof NyrekHTML Form server side validation

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty + 14 =