form validation

[jimfog]

I could open this topic in the PHP forum as well. Do you think that I should validate forms both on the client side and the server side(js and php)? If yes, why I should do that-for extra security? Does that depends on the kind of the application you think?

[niche]

Validate all the time and hash everything with a salt. Never give an evildoer half a chance.

[jimfog]

Validate all the time and hash everything with a salt. Never give an evildoer half a chance.

I assume this means validating both client side and server side.Regarding the salt now...are you saying that I should salt even things such as the address and the phone]of a user for example?

[niche]

Absolutely everything server and client side. You always have be aware that there's probably much that you don't know, that you don't know. Also, there's the need to get (and stay) in the habit of secure thinking plus the certainty that technology will improve. So, what is secure today may not be secure tomorrow regardless of what you do. It never hurts to be a little paranoid IMO. After all, it's just a matter of time before someone or something will try to hack your work. So, don't give 'em much to work with.

Edited November 30, 2012 by niche

[eTianbun]

Less work for server, instead of sending back error messages each time the field(s) is/are empty...

[justsomeguy]

You always validate on the server. You can validate on the client if you want more convenience for the user.

[jimfog]

Ok...I have 2 questions though about the implementation of js validation of the form. The form is enclosed within a function, and the the function is called in the page needed. Probably this is not the best way to put the form in a page.I just did it for readability reasons,I did not want the page to be full of html fields. Would you do the same thing?Or Just "throw" the html form in the page-even if it is big? The 2nd question has to with the javascript validation. Do you think that there is any problem at all validating the form with it being in a PHP function?

[justsomeguy]

The first question is a little vague. I guess do what makes sense to you. It's always best to separate your program's logic from the presentation, using templates or whatever other separation you want to use. About the second question, Javascript doesn't have anything to do with PHP. It doesn't know or care how the HTML gets on the page.

[jimfog]

The first question is a little vague. I guess do what makes sense to you. It's always best to separate your program's logic from the presentation, using templates or whatever other separation you want to use.

Ι understand your point about separating logic from presentation but I need to ask you something about it.The header section of the site(which is enclosed) in a function is about 6 lines of code-don't you think it is more cumbersome to put these lines in every page of the site line by line, instead of using a function where it is called? Imagine a site with 100 pages-I think it is more convenient to call the function 100 times instead of writing these lines of code 100 times. I know I am opening a big issue here and I would appreciate if gave me your opinion about it.

[birbal]

You can just include the header file in other file without using any function. I barely will use any function to just print something. You can set up the header as part of template with placeholders and use the whole generated template to get evaluated its value.

[jimfog]

Ok...I understood what are you talking about, but what if this header code needs to be changed slightly from page to page-I am talking about the title tag which needs to be different from page to page. That is why I am wondering if it is better with a function instead of just using include. Of course I am not even sure that by using a function, you can write the code in such a way, that the title tag is altered depending on the page.I am still trying to find the best solution depending on what I want to achieve.

[justsomeguy]

Ok...I understood what are you talking about, but what if this header code needs to be changed slightly from page to page-I am talking about the title tag which needs to be different from page to page.

Use variables for the things that need to change. You can define those variables before including the file and they will be used. The include file should have logic to check if those variables are not set and use default values otherwise.

[jimfog]

Use variables for the things that need to change. You can define those variables before including the file and they will be used. The include file should have logic to check if those variables are not set and use default values otherwise.

I think I understand what are you saying, but if it is not much of a trouble I would appreciate showing me an example also-I hope it is not much code.How you would implement this?

[justsomeguy]

Just put a variable in with your HTML: <title><?php echo $page_title;?></title> Before you include the file, you can define $page_title as the title to appear on the page. Inside the include file, check if $page_title is set and if it is not set then give it a default value.

[jimfog]

The first question is a little vague. I guess do what makes sense to you. It's always best to separate your program's logic from the presentation, using templates or whatever other separation you want to use.

You are referring to templates found out there or just custom constructions that I could just do my own?

[justsomeguy]

You can do them your own if you want to use include files that have the HTML in them, or you could use a template engine like Smarty.

[jimfog]

Just put a variable in with your HTML: <title><?php echo $page_title;?></title> ... check if $page_title is set and if it is not set then give it a default value.

What is the reason for checking is the page title is set?Every page must have title-I do not think there is a case where a page will not have the title set. Unless you are saying that because some pages will have the same title and as such set the default to that.

[thescientist]

it's just good practice to either initialize your variables, or do basic error handling so you can at least control the output of page_title if its not set, instead of getting undefined, or null as a value instead.

[justsomeguy]

What is the reason for checking is the page title is set? Every page must have title

That's the reason. Every page must have a title. So, if you didn't explicitly set a title then you need to use a default value. Because all pages need a title.

[wacsyweezy]

Normally, we have different types of end user, some ar just there to play with ones apps. My advice is to always validates both on the client and the server cause some end users are smart and they are familiar with web apps. And this is so because of some crazy forms that is too long for the user to fill, that's why most crazy end user normally submit crazy datas to the server, bypassing all the security on the client side. With this, please, always validate on both side. However, client validation is adviceable, because of overloading the server with lot of request Thus, Both is adviceable ThanksWeezy

[jimfog]

Just put a variable in with your HTML: <title><?php echo $page_title;?></title> Before you include the file, you can define $page_title as the title to appear on the page. Inside the include file, check if $page_title is set and if it is not set then give it a default value.

I am trying to implement in code what are you saying above and I get an error message which I am having difficulty understanding: ( ! ) Notice: Undefined variable: page_title in C:\Apache24\htdocs\Appointments\Administrator\header.php on line 8 Ι do not get it-here is the code,according to what you said-the code below goes to the file to be included, header.php:

<?php function check_page_title($page_title){global $page_title;    if(isset($page_title)){return;}else	 { return $page_title='Appointmetns24x7';}}check_page_title($page_title);?><!DOCTYPE html>    <head>	    <title><?php echo $page_title;?></title>	    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />		 <link rel="stylesheet"  href="css/admingeneral.css"/>	    <script  type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js" ></script>	    <script type="text/javascript" src="js/js-code.js"></script>    </head>

And in the file where header.php is included-home.php(for example)I just have this line:

require_once 'header.php';

I do not understand why the variable is considered undefined? If though in home.php I have also this:$page_title=test;everything works OK. Obviously in the above case the function just ends-by using return.I do not understand why though in the opposite case-when I have not set a titleI get "undefined variable". I thought the function code would take care of this.

[justsomeguy]

That's a weird way to write a function. You pass it a parameter, then tell it to use a global variable with the same name as the parameter, then check if the variable is set (it's always going to be set). I was thinking something like this instead: if (!isset($page_title)) $page_title = 'Default';

[jimfog]

That's a weird way to write a function. You pass it a parameter, then tell it to use a global variable with the same name as the parameter, then check if the variable is set (it's always going to be set). I was thinking something like this instead: if (!isset($page_title)) $page_title = 'Default';

Your comment is correct about the parameter name and the global name being the same.Is this invalid in PHP. You are saying that the variable will always be set.But I think that one reason we write this function is for the case that the variable might not be set. I am not saying your code is wrong I am just focusing on the comment you made.

[justsomeguy]

It's not invalid, it's just not going to do what you think it's going to do. What do you think it's going to do if you tell it to use a global variable with the same name as the parameter? Is that variable going to have the value of the global variable, or the parameter?

You are saying that the variable will always be set. But I think that one reason we write this function is for the case that the variable might not be set.

If you pass a variable to a function then that variable inside the function is always set. It might not be set outside the function, but since the function declares it as a parameter it's always set inside the function.

[justsomeguy]

To add to that, you'll get an undefined variable error if you try to pass an undefined variable to a function. Even though you might be checking if things are set in that function, trying to pass an undefined variable to the function is an error. Trying to use an undefined variable at all, other than to check if it is set, is an error. That's why I suggested the one line of code to just set the variable if it's not set.