Start a free Courses trial
to watch this video
In this video, we add validation to our registration form. We validate name, email, and password, as well as display error messages to the user.
This video doesn't have any notes.
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up[?mellow guitar music?] 0:00 Think Vitamin Membership - Est. 2010 membership.thinkvitamin.com 0:03 PHP/MySQL User System - Validation with Jim Hoskins 0:07 In the previous video, we created a registration form 0:13 that inserted users into the database. 0:15 The problem is, there was no validation. 0:17 In this video, we're going to add some. 0:19 Now, you may already be using javascript form validation in your pages, 0:21 and that's nice from a user-experience point of view, 0:24 but rule #1 of web development is "never trust client data." 0:27 They could have javascript disabled, or may be intentionally 0:30 sending your server bad data. 0:34 Always validate your client data on the server. 0:36 Another rule of validation is "Be as accepting as you can afford to be." 0:39 People around the world have different types of names, 0:44 so if you ensure that name has length 3 or greater, you're excluding everybody 0:47 with the last name "Li." 0:51 Or if you accept only alphabetic characters, you're excluding the O'Reilly's 0:52 and those with hyphenate names. 0:57 Some people have two first names or two last names, so you should allow spaces. 0:59 There are few things more insulting than being told your name is invalid, 1:03 so be as accepting as you can afford to be in your validation. 1:07 This is especially true with email addresses. 1:11 There's no real easy way to validate them. 1:13 The most accurate regular expression for testing emails is hundreds of characters, 1:16 and even that is only accurate to the specification. 1:20 In the real world, people can have email addresses that work 1:24 that aren't technically valid, according to the specification. 1:26 The best way to test if an email address is really valid is to send an email to it, 1:30 and if it bounces, then reject it. 1:34 Now, that's a lot of work, so it's generally only worth the effort if you absolutely need 1:36 a working email address. 1:40 So let's take a look at our code. 1:42 I've already updated our code for our validation, 1:45 and we're just going to go through the major steps that I used. 1:47 So right here, I've created an errors variable that is an array. 1:50 Now, we'll be using this to store the various validation errors 1:54 that appear on our various pieces of data. 1:57 So down here is actually where we check our data. 2:00 Here, we're first checking first_name to make sure it's non-blank. 2:03 So what' I'm doing is I'm using the preg_match function 2:07 which does a Perl-compatible regular expression. 2:10 Now, the regular expression I'm using is just to make sure there's at least 2:13 one white non-space character. 2:17 Now, your validations may vary, and you can change this to suit your needs, 2:19 but for me, this is all that I want to validate, 2:23 and I'm testing it on the $_POST["first_name"]. 2:26 If preg_match returns 0, then we have an error. 2:29 So what I'm going to do is I'm going to set the "first_name" key of our $errors variable 2:33 to an error message, so I'm going to say, "Please enter a first name." 2:38 The last name is exactly the same, so we're doing the exact same check 2:43 to make sure it's non-blank, except this time 2:47 we're checking on the $_POST["last_name"] and setting the key "last_name" 2:50 Now, the email is similar, except my regular expression is changed. 2:54 I'm doing a fairly simple regular expression, where I'm looking for 2:58 at least one of any character, an "@" symbol, 3:02 another set of at least one or more characters, 3:06 then a literal dot "." and then more characters. 3:10 This should be valid enough--it's only really checking for the "@" and the "." 3:13 so anybody could really put in all sorts of things that could get around this, 3:17 but, like I said, I can afford to be pretty accepting in this application. 3:21 So if it does not match that, we're entering a different validation error message. 3:25 Finally, I'm checking for the password, 3:30 and the regular expression I'm using is any character, 3:33 so long as there are at least six of them. 3:36 So I am enforcing a password length on our password. 3:39 Here I'm saying the password is invalid if it does not match our regular expression. 3:43 Then we need to check for our password confirmation to make sure 3:49 that it matches our normal password. 3:52 So here what I'm doing is I'm testing to make sure that our string comparison 3:55 between the password and the password confirmation is not equal to 0. 3:59 Now, if it's not equal to 0, that means that the two strings vary in some way. 4:06 Strcmp will return 0 if they are the same. 4:11 So here, I'm going to put an error on the password confirmation 4:15 saying that the passwords do not match. 4:18 Now here's where we're getting back to our normal code. 4:20 Instead of just going straight into our SQL query, 4:23 we're going to check to make sure that count of errors is equal to 0. 4:26 So if any one of these error keys were set, 4:30 our count's going to be greater than 0. 4:33 If we have no errors, then we go ahead and try to insert in the database. 4:35 All of this code is the same--we're escaping our input 4:39 and generating our SQL query and running it. 4:42 Here we can see if we get no errors, then we get a successful log_in 4:45 and redirect around. 4:50 Now, if there is an error, the main error we're going to see 4:52 is if somebody inserts an email address that already exists. 4:55 Since we put a unique modifier on our column, 4:58 if you try to input two of the same email addresses, it will return an error. 5:01 So here we're going to check against our mysql_error string 5:06 for the words "duplicate" and "email," and if that matches, we're going to set the email 5:10 error message to be "Email has already been used." 5:16 Down here, I've created a few helper functions for generating my markup. 5:21 The first is form_row_class. 5:26 This takes a key, like first_name, last_name, or email, 5:28 and if there's an error on it, will return the string "form_error_row" 5:33 a class name that I have set up for an error. 5:36 If there's no error, it'll return an empty string. 5:39 Another one I've created is error_for, and it takes the same kind of key, 5:42 and if there's an error on the key, it returns this little piece of markup 5:47 that is a div with our class, and then the error message. 5:50 Finally, I've created an h function, 5:54 which is an alias for the HTML special characters function. 5:57 So down in our code, let's take a look at how we've utilized these different functions. 6:00 So, in each of our table rows, here I've created a class attribute, 6:05 and inside of that, I'm echoing the form_row_class for that field. 6:09 So if there's an error on first name, we will get the class name, form_error_row, 6:15 input into this <tr. 6:20 This allows us to colorize the text field or any other kind of indication 6:23 that there's an error on that row. 6:27 Then, on the input, I've added a value, 6:30 so if you have an error in your code when you submit the form, 6:34 when the form is displayed back to you again, 6:38 you don't want the form to be cleared out. 6:40 So what you want to do is you want to add the value that was submitted into that field. 6:42 But, since we're displaying information that came from the client, 6:48 we need to sanitize it by calling HTML special characters, or "h" as I've aliased it. 6:52 I use "h" just because it's shorter and it's something that I use a lot, 6:57 and you should use a lot, so it would make it convenient for you to use. 7:01 Finally, directly after our input, I do "echo" and then "error_for() the first_name, 7:06 or whatever key I happen to be using--and here, if there is an error, 7:12 it'll print out a div with the error message. 7:16 Now, each of my fields has pretty much the same thing going on, 7:19 of course with the keys changed to whatever field we're on. 7:22 The only difference is I am not echoing out the password if there's an error. 7:26 I generally don't like to pass passwords back to the client. 7:31 I'd rather have them reinput it. 7:34 Now, it's a little bit inconvenient, but I want people to be sure 7:37 of the password that they're putting in, so I don't put a value in the password 7:40 or the password confirmation. 7:43 So, let's look at our database. 7:47 We see that we have Jim and Nick in here, with Jim and Nick at carsonified.com. 7:49 First let's just try submitting the empty form. 7:54 Here you can see that we now have our error classes applied, 7:57 and we have error messages printed below each of our inputs. 8:01 So let's try it out and let's sign up Ryan for this. 8:06 Let me type in a password, and let me put a non-matching password in here. 8:10 And so we can see that the "Passwords do not match" came across. 8:18 Now, if I signed him up with matching passwords, all of these should go through, 8:24 and we can be logged in as Ryan. 8:29 Now let's just test to see if the email validation works. 8:32 I'm going to try to register again, 8:36 and since my email address is already in the database, 8:39 we should get to the point where we're inserting, but there will be a MySQL error 8:42 because of my email address. 8:45 So let's just type in the password, oops--looks like I missed that-- 8:47 (types in correct password) 8:55 and there we go. 8:57 We see that email has already been taken. 8:59 By using these techniques, you should be able to create 9:02 a fully functional user registration form for your authentication system. 9:04 [?mellow guitar music?] 9:08 Think Vitamin Membership - Est. 2010 membership.thinkvitamin.com 9:11
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up