ITEC 325 2017spring ibarland

home—lects—hws
D2L—breeze (snow day)

server-side-validation
Server-side Validation

Review: Where to do validation — why server-side, why client-side; why both if we're already doing it once; which is more important (if you were forced to only choose one). Here is the 2017-feb-28-partA distance section (1h05m) (it starts off reviewing git and the regular-expression quiz-questions).

In the following series of videos, we add server-side validation to our previous simple form (v0). We will focus on how to structure this code well, refactoring and improving our code through several stages.

0. #v0 form, w/o any validation
1. #v1 brutish, top-level code. D-
2. #v2 refactor into "stringInvalidMsg". C-
3. #v3 put validation-code into its own file. C+
4. #v4 create “allErrorMessages”. B+
5. #v5 put constants into their own file. A

disclaimer: (These “grades” are to convey a general impression, and are not the homework grading-guide!)

Here is the 2017-feb-28-partB distance section (0h49m), which covers much of the material of the first several videos below.

0. the old form (except the form now mentions some restrictions, currently un-enforced).
1. validate-v1/: A first version that does the validation, but with repeated, untested, top-level code. It also uses direct echo'ing, which doesn't allow for any re-use.
   Grade: D-.
   youtube:;
   
   youtube:
   
2. validate-v2/ Re-factor the repeated testing of text-fields into “stringInvalidMsg” (but tests are still in comments).
   Grade: C- (still not a very robust structure).
   on youtube:
   Note that error-messages still missing field-name; we could add an extra param to 'stringInvalidMsg', but instead we'll take a different tack next video. And: the lack of 'br' is a strength, not a weakness.
3. validate-v3/ Pull the code into a separate file (and, tests as well). Add form-handler-test-N.php files.
   Grade: C+
   

   on youtube (15m:15s)
   

4. validate-v4/ Have a function “allErrorMessages” which returns an array of strings. Now our main handler simply calls that function and echo's the result. Test-handlers revealed a bug: even text fields may not be in _POST if an attacker forged a form, giving us array-doesn't-contain-key errors. Abstract this with safeLookup, a handy trick for many languages and situations.
   B+.

   on youtube (partA: 22m:16s) and on youtube (partB: 8m:40s).
   
   

   We also discuss the test-cases, and sigh about the rather large number of files we now have.

5. Finally: validate-v5/ Add an external constants file, and use “global” to access those constants inside a function.
   Grade: A.

   on youtube (partA: 7m:15s) and on youtube (partB: 14m:37s)
   
   

home—lects—hws
D2L—breeze (snow day)

©2017, Ian Barland, Radford University Last modified 2017.Mar.14 (Tue)

Please mail any suggestions (incl. typos, broken links) to ibarlandradford.edu