Repost of 25 PHP Form Validation Snippets

No Comments

Because the syntax highlighter seems to been fucked up of "25 PHP Form Validation Snippets" at Hungred.com, I decided to repost the content of this post here. It's really just a repost, althou skipping right to the important content (and adding / replacing '#' with '//' single-line comments) ;)

Validate Email

We can perform an email validation through this function.

        function isValidEmail($email){
                return eregi('^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$', $email);
        }

After fainted for a few seconds when i saw unreal4u finding, i decided to throw up preg_match solution instead.

        function isValidEmail($email){
                return preg_match('/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i', $email);
        }

PHP 5.2 and above.

function fnValidateEmail($email)
{
  return filter_var($email, FILTER_VALIDATE_EMAIL);
}

Sanitize Email

We can further sanitize our email to ensure that everything is alright.

function fnSanitizeEmaill($string) {
     return  preg_replace( '((?:\n|\r|\t|%0A|%0D|%08|%09)+)i' , '', $string );
}

PHP 5.2 and above.

function fnSanitizeEmaill($url)
{
  return filter_var($url, FILTER_SANITIZE_EMAIL);
}

Validate Email Exist

This is not possible but certain validation can be use to validate email existence.

function check_email($email)
{
        $email_error = false;
        $Email = htmlspecialchars(stripslashes(strip_tags(trim($email)))); //parse unnecessary characters to prevent exploits
        if ($Email == '') { 
		    email_error = true; 
        }
        elseif (
            !eregi('^([a-zA-Z0-9._-])+@([a-zA-Z0-9._-])+\.([a-zA-Z0-9._-])([a-zA-Z0-9._-])+', $Email)) { email_error = true; 
        }
        else {
            list($Email, $domain) = split('@', $Email, 2);
            if (! checkdnsrr($domain, 'MX')) { 
                email_error = true; 
            }
            else {
                $array = array($Email, $domain);
                $Email = implode('@', $array);
            }
        }

        if (email_error) { return false; } else{return true;}
}

Validate Number Only

We can use PHP built-in function to validate whether a given value is a number.

function fnValidateNumber($value)
{
        //is_ double($value);
        //is_ float($value);
        //is_ int($value);
        //is_ integer($value);
        return is_numeric($value);
}

PHP 5.2 and above.

function fnValidateNumber($value)
{
        //return filter_var($value, FILTER_VALIDATE_FLOAT); // float
        return filter_var($value, FILTER_VALIDATE_INT); // int
}

Sanitize Number

We can force all value to be only numeric by sanitize them.

function fnSanitizeNumber($str)
{
        // letters and space only
        return preg_match('/[^0-9]/', '', $str);
}

PHP 5.2 and above.

function fnSanitizeNumber($value)
{
        //return filter_var($value, FILTER_SANITIZE_NUMBER_FLOAT); // float
        return filter_var($value, FILTER_SANITIZE_NUMBER_INT); // int
}

Validate String Only

Sometimes to validate name we can use this function to restrict only letters and spaces.

function fnValidateStringr($str)
{
        // letters and space only
        return preg_match('/^[A-Za-z\s ]+$/', $str);
}

Sanitize String

We can sanitize it instead of validate user input.

function fnSanitizeStringr($str)
{
        // letters and space only
        return preg_replace('/[^A-Za-z\s ]/', '', $str);
}

PHP 5.2 and above. built-in function by PHP provides a much more powerful sanitize capability.

function fnSanitizeStringr($str)
{
        return filter_var($str, FILTER_SANITIZE_STRIPPED); // only 'String' is allowed eg. '<br>HELLO</br>' => 'HELLO'
}

Validate Alphanumeric Characters

This validates alphanumeric characters.

function fnValidateAlphanumeric($string)
{
        return ctype_alnum ($string);
}

Sanitize Alphanumeric Characters

This sanitize alphanumeric characters. eg. “HELLO! Do we have 90 idiots running around here?” => “HELLO Do we have 90 idiots running around here”

function fnSanitizeAlphanumeric($string)
{
        return preg_replace('/[^a-zA-Z0-9]/', '', $string);
}

Validate URL Exist

This function will check whether a given URL exist and not only validate it.

        function url_exist($url)
        {
                $url = @parse_url($url);

                if (!$url)
                {
                        return false;
                }

                $url = array_map('trim', $url);
                $url['port'] = (!isset($url['port'])) ? 80 : (int)$url['port'];
                $path = (isset($url['path'])) ? $url['path'] : '';

                if ($path == '')
                {
                        $path = '/';
                }

                $path .= (isset($url['query'])) ? '?$url[query]' : '';

                if (isset($url['host']) AND $url['host'] != @gethostbyname($url['host']))
                {
                        if (PHP_VERSION >= 5)
                        {
                                $headers = @get_headers('$url[scheme]://$url[host]:$url[port]$path');
                        }
                        else
                        {
                                $fp = fsockopen($url['host'], $url['port'], $errno, $errstr, 30);

                                if (!$fp)
                                {
                                        return false;
                                }
                                fputs($fp, 'HEAD $path HTTP/1.1\r\nHost: $url[host]\r\n\r\n');
                                $headers = fread($fp, 4096);
                                fclose($fp);
                        }
                        $headers = (is_array($headers)) ? implode('\n', $headers) : $headers;
                        return (bool)preg_match('#^HTTP/.*\s+[(200|301|302)]+\s#i', $headers);
                }
                return false;
        }

Validate URL Format

This function will validate a given url to ensure the format is correct.

function fnValidateUrl($url){
return preg_match('/^(http(s?):\/\/|ftp:\/\/{1})((\w+\.){1,})\w{2,}$/i', $url);
}

PHP 5.2 and above.

function fnValidateUrl($url)
{
    return filter_var($url, FILTER_VALIDATE_URL);
}

Sanitize URL

PHP 5.2 and above.

function fnSanitizeUrl($url)
{
    return filter_var($url, FILTER_SANITIZE_URL);
}

Validate Image Exist

This function will check whether a given image link exist and not only validate it.

function image_exist($url) {
    if(@file_get_contents($url,0,NULL,0,1)){return 1;}else{ return 0;}
}

Validate IP Address

This function will validate an IP address.

function fnValidateIP($IP){
    return preg_match('/^(([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/',$IP)
}

PHP 5 and above. This can also specific validation for IPV4 or IPV6.

function fnValidateIP($ip)
{
    return filter_var($ip, FILTER_VALIDATE_IP);
}

Validate Proxy

This function will let us detect proxy visitors even those that are behind anonymous proxy.

function fnValidateProxy() {
    if ($_SERVER['HTTP_X_FORWARDED_FOR']
       || $_SERVER['HTTP_X_FORWARDED']
       || $_SERVER['HTTP_FORWARDED_FOR']
       || $_SERVER['HTTP_VIA']
       || in_array($_SERVER['REMOTE_PORT'], array(8080,80,6588,8000,3128,553,554))
       || @fsockopen($_SERVER['REMOTE_ADDR'], 80, $errno, $errstr, 30))
    {
        exit('Proxy detected');
    }
}

Validate Username

Before we validate whether a given username is matches the one in our database, we can perform a validation check first to prevent any unnecessary SQL call.

function fnValidateUsername($username){
    // alphabet, digit, @, _ and . are allow. Minimum 6 character. Maximum 50 characters (email address may be more)
    return preg_match('/^[a-zA-Z\d_@.]{6,50}$/i', $username);
}

Validate Strong Password

Another good thing is to validate whether a particular password given by the user is strong enough. You can do that using this function which required the password to have a minimum of 8 characters, at least 1 uppercase, 1 lowercase and 1 number.

function fnValidatePassword($password){
    // must contain 8 characters, 1 uppercase, 1 lowercase and 1 number
    return preg_match('/^(?=^.{8,}$)((?=.*[A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z]))^.*$/', $password);
}

Validate US Phone Number

This function will validate US phone number for US users.

function fnValidateUSPhone($phoneNo){
    return preg_match('/\(?\d{3}\)?[-\s.]?\d{3}[-\s.]\d{4}/x', $phoneNo);
}

Validate US Postal Code

This function validate US postal code.

function fnValidateUSPostal($postalcode){
    // eg. 92345-3214
    return preg_match('/^([0-9]{5})(-[0-9]{4})?$/i',$postalcode);
}

Validate US Social Security Numbers

This function validate US Social Security Numbers.

function fnValidateUSSocialSecurityCode($ssb){
        // eg. 531-63-5334
        return preg_match('/^[\d]{3}-[\d]{2}-[\d]{4}$/',$ssn);
}

Validate Credit Card

This function validate credit card format.

function fnValidateCreditCard($cc){
    // eg. 718486746312031
    return preg_match('/^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6011[0-9]{12}|3(?:0[0-5]|[68][0-9])[0-9]{11}|3[47][0-9]{13})$/', $cc);
}

Validate Date

This is a date format MM-DD-YYYY or MM-DD-YY validation which validate from year 0000-9999.

function fnValidateDate($date){
    // 05/12/2109
    // 05-12-0009
    // 05.12.9909
    // 05.12.99
    return preg_match('/^((0?[1-9]|1[012])[- /.](0?[1-9]|[12][0-9]|3[01])[- /.][0-9]?[0-9]?[0-9]{2})*$/', $date);
}

This is a date format YYYY-DD-MM or YY-MM-DD validation which validate from year 0000-9999.

function fnValidateDate($date){
    // 2009/12/11
    // 2009-12-11
    // 2009.12.11
    // 09.12.11
    return preg_match('#^([0-9]?[0-9]?[0-9]{2}[- /.](0?[1-9]|1[012])[- /.](0?[1-9]|[12][0-9]|3[01]))*$#'', $date);
}

Validate Hexadecimal Colors

This is a good validation for people who allows their user to change color in their system.

function fnValidateColor($color){
    // CCC
    // CCCCC
    // FFFFF
    return preg_match('/^#(?:(?:[a-f0-9]{3}){1,2})$/i', $color);
}

Make Query Safe

This function help sanitize our data to be SQL injection safe.

function _clean($str){
    return is_array($str) ? array_map('_clean', $str) : str_replace('\\', '\\\\', htmlspecialchars((get_magic_quotes_gpc() ? stripslashes($str) : $str), ENT_QUOTES));
}

//usage call it somewhere in beginning of your script
    _clean($_POST);
    _clean($_GET);
    _clean($_REQUEST);// and so on..

Make Data Safe

This function help to keep us protected against XSS, JS and SQL injection by removing tags.

function _clean($str){
    return is_array($str) ? array_map('_clean', $str) : str_replace('\\', '\\\\', strip_tags(trim(htmlspecialchars((get_magic_quotes_gpc() ? stripslashes($str) : $str), ENT_QUOTES))));
}

//usage call it somewhere in beginning of your script
    _clean($_POST);
    _clean($_GET);
    _clean($_REQUEST);// and so on..

Summary

A paranoid way to perform a form validation would be to validate first then sanitize your values for precautions. If you think the above snippets were suck or you have any good or awesome snippets to share. Please throw your comment and share with us!

Be the first to write a comment!