RU beehive logo ITEC dept promo banner
ITEC 325
2021spring
flo

Server-side Validation

In the following series of videos, we add server-side validation to our previous simple form (v0). We will focus on how to structure this code well, refactoring and improving our code through several stages.

  1. #v0 form, w/o any validation
  2. #v1 brutish, top-level code. D-
  3. #v2 refactor into "stringInvalidMsg". C-
  4. #v3 put validation-code into its own file. C+
  5. #v4 create “allErrorMessages”. B+
  6. #v5 put constants into their own file. A
disclaimer: These “grades” are to convey a general impression, and are not a homework grading-guide!
  1. the old form (except the form now mentions some restrictions, currently un-enforced).
  2. validate-v1/: A first version that does the validation, but with repeated, untested, top-level code. It also uses direct echo'ing, which doesn't allow for any re-use.
    Grade: D-.
    video: validate server-side (part 1a) (15m46s)

    video: validate server-side (part 1b) (3m42s)

  3. validate-v2/ Re-factor the repeated testing of text-fields into “stringInvalidMsg” (but tests are still in comments).
    Grade: C- (still not a very robust structure).
    video: validate server-side (part 2) (13m20s)

    Note that error-messages still missing field-name; we could add an extra param to 'stringInvalidMsg', but instead we'll take a different tack next video. And: the lack of 'br' is a strength, not a weakness.
  4. validate-v3/ Pull the code into a separate file (and, tests as well). Add form-handler-test-N.php files.
    Grade: C+
    video: validate server-side (part3) (15m15s)

  5. validate-v4/ Have a function “allErrorMessages” which returns an array of strings. Now our main handler simply calls that function and echo's the result. Test-handlers revealed a bug: even text fields may not be in _POST if an attacker forged a form, giving us array-doesn't-contain-key errors. Abstract this with safeLookup, a handy trick for many languages and situations.
    B+. video: validate server-side (part 4a) (22m16s)

    video: validate server-side (part 4b) (8m40s)

    We also discuss the test-cases, and sigh about the rather large number of files we now have.

  6. Finally: validate-v5/ Add an external constants file, and use “global” to access those constants inside a function.
    Grade: A. video: validate server-side (part 5a) (7m15s)

    video: validate server-side (part 5b) (14m37s)


Coming up: client-side validation (incl. introduction to the DOM, and javascript to modify it)
logo for creative commons by-attribution license
This page licensed CC-BY 4.0 Ian Barland
Page last generated
Please mail any suggestions
(incl. typos, broken links)
to ibarlandradford.edu
Rendered by Racket.