Introduction

This component makes secure handling of input data easier. With a user defined form definition the component analyses, filters and returns GET and POST data. The component will not render forms to HTML from its definition, but only handles incoming data. The filtering is done through PHP's filter extension and the component supports all filters and flags that this extension supports.

Class overview

ezcInputForm

Is the class that validates the definition, processes the form data and provides functionality for accessing the submitted data.

ezcInputFormDefinitionElement

The container class that wraps around the definition for each form element. It contains whether the field is optional or required, the filter name and optional flags for the filter.

Basic Usage

The example in this section is cut in multiple parts to allow easier explanation.

  1. <?php
  2. $definition = array(
  3.     'firstName' => new ezcInputFormDefinitionElement(
  4.         ezcInputFormDefinitionElement::REQUIRED, 'string'
  5.     ),
  6.     'lastName' => new ezcInputFormDefinitionElement(
  7.         ezcInputFormDefinitionElement::REQUIRED, 'string'
  8.     ),
  9.     'age' => new ezcInputFormDefinitionElement(
 10.         ezcInputFormDefinitionElement::REQUIRED, 'int',
 11.         array( 'min_range' => 1, 'max_range' => 99,
 12.                'flags' => FILTER_FLAG_ALLOW_HEX )
 13.     ),
 14.     'email' => new ezcInputFormDefinitionElement(
 15.         ezcInputFormDefinitionElement::REQUIRED, 'validate_email'
 16.     ),
 17. );
 18. ?>

In the lines above we prepare a definition array that defines our form. A definition array consists of an associative array where the key is the input field name and the value an object of the ezcInputFormDefinitionElement class.

The first parameter to the constructor is either ezcInputFormDefinitionElement::REQUIRED for fields that have to be submitted (although they can be empty) or ezcInputFormDefinitionElement::OPTIONAL for optional fields. The second parameter is the filter to use for this input field. The filters are defined in PHP's filter extension, and can also be retrieved by the PHP function input_filters_list(). The third optional parameter contains flags to the filter. Those are documented in the filter documentation.

In the definition above we define four input fields, which are all required. Two of them are strings (firstName and lastName), one is an integer (age) and the last one an e-mail address (email).

  1. <?php
  2. foreach ( $definition as $name => $dummy )
  3. {
  4.     $propertyName = "property_$name";
  5.     $propertyWarningName = "warning_$name";
  6.     $$propertyName = '';
  7.     $$propertyWarningName = '';
  8. }
  9. ?>

Here we just initialize the variables that are used to show the current value and whether invalid data was submitted to the form. This is later used to render the form.

  1. <?php
  2. if ( ezcInputForm::hasGetData() )
  3. {
  4.     $form = new ezcInputForm( INPUT_GET, $definition );
  5. 
  6.     foreach ( $definition as $name => $dummy )
  7.     {
  8.         $propertyName = "property_$name";
  9.         $propertyWarningName = "warning_$name";
 10.         if ( $form->hasValidData( $name ) )
 11.         {
 12.             $$propertyName = $form->$name;
 13.         }
 14.         else
 15.         {
 16.             $$propertyName =
 17.                 htmlspecialchars( $form->getUnsafeRawData( $name ) );
 18.             $$propertyWarningName = '[invalid]';
 19.         }
 20.     }
 21. }
 22. ?>

In line 2 we check whether there was GET data submitted to this script. Besides the ezcInputForm::hasGetData() method to verify if there is GET data available there is another method, ezcInputForm::hasPostData(), which does the similar thing but then for POST data. Upon instantiation of the ezcInputForm object in line 4 the component will parse the input data and makes the input fields available through the object. In case one of the required input variables did not exist in the input data this instantiation will throw an ezcInputFormFieldNotFoundException exception.

In lines 6 to 20 we loop over all elements from the definition and check (line 10) whether the field has valid data. When there is valid data available we retrieve the value from the $form object through a property (line 12) and in case the data for a field was invalid we fetch the raw data with the ezcInputForm::getUnsafeRawData() function, encode that with htmlspecialchars and set the parameter with the name "property_<fieldname>" to the encoded raw data. We also record in the "warning_<fieldname>" variable if the field has invalid data.

  1. <form action='tutorial_example_01.php'>
  2. First name: <input type='text' name='firstName' value='<?php echo $property_firstName; ?>'/><?php echo $warning_firstName; ?><br/>
  3. Last name: <input type='text' name='lastName' value='<?php echo $property_lastName; ?>'/><?php echo $warning_lastName; ?><br/>
  4. Age: <input type='text' name='age' value='<?php echo $property_age; ?>'/><?php echo $warning_age; ?><br/>
  5. E-mail: <input type='text' name='email' value='<?php echo $property_email; ?>'/><?php echo $warning_email; ?><br/>
  6. <input type='submit' value='submit'/><br/>
  7. </form>
  8. <?php
  9. // just to make my test script happy
 10. ?>

The last part of this example renders the form. If previous data was submitted it will be shown as default value in the input fields. If the data for one of the fields was invalid it will show that next to the field as well.

More Information

The filters and its parameters are documented are documented in the filter documentation.