RU beehive logo ITEC dept promo banner
ITEC 325
2017spring
ibarland

homelectshws
D2Lbreeze (snow day)

server-side-validation
Server-side Validation

Review: Where to do validation — why server-side, why client-side; why both if we're already doing it once; which is more important (if you were forced to only choose one). Here is the 2017-feb-28-partA distance section (1h05m) (it starts off reviewing git and the regular-expression quiz-questions).

In the following series of videos, we add server-side validation to our previous simple form (v0). We will focus on how to structure this code well, refactoring and improving our code through several stages.

  1. #v0 form, w/o any validation
  2. #v1 brutish, top-level code. D-
  3. #v2 refactor into "stringInvalidMsg". C-
  4. #v3 put validation-code into its own file. C+
  5. #v4 create “allErrorMessages”. B+
  6. #v5 put constants into their own file. A
disclaimer: (These “grades” are to convey a general impression, and are not the homework grading-guide!)

Here is the 2017-feb-28-partB distance section (0h49m), which covers much of the material of the first several videos below.

  1. the old form (except the form now mentions some restrictions, currently un-enforced).
  2. validate-v1/: A first version that does the validation, but with repeated, untested, top-level code. It also uses direct echo'ing, which doesn't allow for any re-use.
    Grade: D-.
    youtube:;

    youtube:
  3. validate-v2/ Re-factor the repeated testing of text-fields into “stringInvalidMsg” (but tests are still in comments).
    Grade: C- (still not a very robust structure).
    on youtube:
    Note that error-messages still missing field-name; we could add an extra param to 'stringInvalidMsg', but instead we'll take a different tack next video. And: the lack of 'br' is a strength, not a weakness.
  4. validate-v3/ Pull the code into a separate file (and, tests as well). Add form-handler-test-N.php files.
    Grade: C+

    on youtube (15m:15s)

  5. validate-v4/ Have a function “allErrorMessages” which returns an array of strings. Now our main handler simply calls that function and echo's the result. Test-handlers revealed a bug: even text fields may not be in _POST if an attacker forged a form, giving us array-doesn't-contain-key errors. Abstract this with safeLookup, a handy trick for many languages and situations.
    B+.

    on youtube (partA: 22m:16s) and on youtube (partB: 8m:40s).

    We also discuss the test-cases, and sigh about the rather large number of files we now have.

  6. Finally: validate-v5/ Add an external constants file, and use “global” to access those constants inside a function.
    Grade: A.

    on youtube (partA: 7m:15s) and on youtube (partB: 14m:37s)


2017-Mar-14 distance section (57m05s): introduction to the DOM and javascript to modify it.

homelectshws
D2Lbreeze (snow day)


©2017, Ian Barland, Radford University
Last modified 2017.Mar.14 (Tue)
Please mail any suggestions
(incl. typos, broken links)
to ibarlandradford.edu
Rendered by Racket.