Have you tried a web search for - php form validation?
No. Sanitize implies that you are going to remove bad things from a value. Other than trimming data, mainly so that you can determine if it was all white-space characters, don’t modify data, as this changes the meaning of the data. Just validate it. If it is valid, use it. If it is not, tell the user what was wrong with it so that they can correct the value.
As to the posted code -
Don’t attempt to detect if the submit button is set. There are cases where it won’t be. Just detect if a post method form was submitted.
htmlentities() is an output function. It is used when you output data in a html context. Do NOT use it on the input data to your form processing code.
Don’t change the names of values. Use the same name for any particular piece of data throughout your code. This just creates more work for you in keeping track of the values and creates more typo mistakes.
Keep the form data as a set, in an array variable, then access elements in this array variable throughout the rest of the code.
For select/option, radio, and checkbox fields, you would validate that the submitted value is one of the permitted choices. See item #12 on this list on how to do this.
For select/option menus, the first choice/prompt should be an empty value and if ‘None’ is a valid choice, it should have its own option entry separate from the prompt entry.
Making an array of the form data, storing it in a session variable, then redirecting is needless coding. Your form processing code, after trimming and validating the data, should use the data on the current page. The only redirect you should do in your form processing code should be upon successful completion, without any errors, to the exact same URL of the current page to cause a get request for that page.
Every redirect needs an exit/die statement to stop code execution.
Your form and form processing code should be on the same page. To get the form to submit to the same page it is on, leave out the entire action=‘…’ attribute.
If you put the <label></label> tags around the field they belong with, you can eliminate the for=‘…’ and id=‘…’ attributes.
The form fields should be ‘sticky’ and be repopulated with any existing value or checked/selected state, so that the user doesn’t need to keep reentering/selecting data should there be a validation error.
For select/option, checkbox, and radio fields, you need to define arrays with the choices, then dynamically produce the fields. This will allow you to modify the choices simply by changing the defining arrays, validate the input simply by checking if the value is in the defining array (see in_array()), and it will make it easy to re-check/re-select existing choices when you redisplay the form.
Any dynamic value that you output in a html context should have htmlentities() applies to it, when you output it.
Validation can happen at two levels here. On the client side, there is form level validation where you can do simple validations like using the “required” attribute on the HTML input elements to ensure that they’re passed on to the PHP backend. I can see that you’ve already done this for “FIrst Name”, “Last Name”, etc.
Then comes server side validation where you can perform more rigorous checks. This happens when you check for the POST request and are just about to process the user’s input (like save it to a database, etc.). Here you’re trying to check if ‘status’ input is posted back and set your variable accordingly:
This is also one type of validation. In case your validation fails, you have the option of sending an appropriate message to the user using “echo” statement or other means. You can do all kinds of filtering and sanitization here using PHP functions but it all depends on your app’s business logic.
No, not really, because status is a checkbox, what this does is determine if the checkbox was checked or not, both of which are valid results. A checkbox is either on or off, if it is off, it will not be set in the post array.
In order to validate a name (of any other form field), you first need to define what you consider to be valid for that particular field.