/* How to structure your code that validates: */


- crude idea:
  you'll take the strings in $_POST, and
  perhaps compare them to regular expressions
  using `if` statements.
  ... If they don't match ...?
   Don't print an error immediately:
   separate the error-checking
   from the error-reporting.

  NOTE: If something in the input is numeric,
   convert the string to a number and use
    `<=` etc to compare numbers.
   [Don't try to use regular expressions
    to test if a number is between 30 and 75.]
   Recall 'is_numeric' in php.

- a similar-but-more-re-usablae approach:

  - Have a function 'validate_username',
    which takes in a string and returns
    error-message-or-true (returns true
    if the string was valid, otherwise
    RETURNs a descriptive error-message.)

  - similarly have a function 
     'validate_favorite_color' (or whatever your
    form is collecting: returns
    error-message-or-true.

  - THEN: have a 'master' validation function
    'validateAll' -- takes in array of strings
    whose keys might happen to be things
    like 'username' and 'fave-color'
    (hey, just like _POST),
    and returns an array-of-error-messages
    (possibly empty).

  - In your actual form-handler:
    call validateAll on hte particular array
     $_POST; if it's non-empty then you'll
    print out all the error messages.


==========
   Validating: client-side, or server-side?
     Why both?


  Why client-side:
    - save bandwidth and server-cycles,
      because innocent errors are caught before
      being submitted.
    - better user experience: shorter wait
      before the user is notified of error.

  Why server-side:
    (why do we need to even check, if the form's
     javascript didn't let them submit if
     there'd been an error?)

   - they might have javascript turned off
   - they might take the form and 'save-as',
     then edit it to CHANGE the javascript
     valdiation, then re-open.
   - they might not even be coming from the form:
     attackers just send http packets to 
     requesting my form-handler.

--------
   If you have info needed for BOTH making
   the form, AND the form-handler:

   Put such info into a third common file,
   which gets `require_once`d by both the form
   and the form-handler.