The idea is to create a set of “validation descriptors” associated with each element in a form.The “validation descriptor” is nothing but a string specifying the type of validation to be performed.And when the page loads, the Java Script code will be executed (the user will see an alert box).This is just a simple and harmless example how the PHP_SELF variable can be exploited.Proper validation of form data is important to protect your form from hackers and spammers!The HTML form we will be working at in these chapters, contains various input fields: required and optional text fields, radio buttons, and a submit button: The validation rules for the form above are as follows: This code adds a script tag and an alert command.If the REQUEST_METHOD is POST, then the form has been submitted - and it should be validated.If it has not been submitted, skip the validation and display a blank form.
The script works fine even if the user does not enter any data.
Be aware of that any Java Script code can be added inside the - this would not be executed, because it would be saved as HTML escaped code, like this: <script>location.href(' The code is now safe to be displayed on a page or inside an e-mail.
We will also do two more things when the user submits the form: The next step is to create a function that will do all the checking for us (which is much more convenient than writing the same code over and over again). Now, we can check each $_POST variable with the test_input() function, and the script looks like this: Notice that at the start of the script, we check whether the form has been submitted using $_SERVER["REQUEST_METHOD"].
The expression for matching numbers and characters in the field is: /^[0-9a-z A-Z] $/ It’s must to provide validation in the select field.
It happens sometimes, when user forgets to choose option from the select feild.