Email form validation

fisicx

Moderator
Sep 12, 2006
46,946
9
15,514
Aldershot
www.aerin.co.uk
Help!

I've got 99% of my form validation sorted but one bit is bugging me.

All I want to do is check for symbols in the telephone number,

I pick up the variable from the form and check it like this:

function VerifyForm(&$values, &$errors)
{
if(!preg_match("[^0-9]",$values['telephone']))
$errors['telephone'] = 'no symbols';
if(empty($values['telephone']))
$errors['telephone'] = 'Please enter a telephone number';
}


The form field is this:

<p class="error"><?= $errors['telephone'] ?></p>
<p><input type="text" size="20" name="telephone" value="<?=htmlentities($values['telephone']) ?>"/></p>

If I put letters or symbols it returns the error. But it also tells me that 0-9 are symbols as well! It's going to be something really simple but I can't see it.

Note if you leave the field blank the correct error message displays.

The test form is here: http://www.aerin.co.uk/contactform/errors3.php

All the other fields work fine.

PS: This one works but just strips out the dodgy characters, I want to be a bit more user friendly: http://www.aerin.co.uk/contactform/errors.php
 
Last edited:

J-Wholesale

Free Member
Jul 13, 2008
764
213
Are you sure you're not overdoing it with the validation? People often enter non numeric characters into telephone fields - +, #, (), for example - and they don't make the number unusable. The only validation I ever impose is to check for content in critical fields, and to ensure email addresses are valid. Everything else is open to interpretation, and shouldn't be restricted.
 
Upvote 0

Red Kite

Free Member
Oct 3, 2009
9
1
I used the ctype_digit function to check whether there were only digits within the string, and that seemed to work OK. There does seem to be a lack of a decent preg_match tutorial available, either online or in a text book.

<?php

$telephone = $_POST['telephone'];

if(!ctype_digit($telephone))
{
$errors['telephone'] = 'no symbols';
}
if(empty($telephone)){
$errors['telephone'] = 'Please enter a telephone number';
}

?>
<p class="error">
<?php
if (!empty($errors['telephone'])) {
echo $errors['telephone'];
}
?>
</p>
<p><input type="text" size="20" name="telephone" value="<?php echo $telephone ?>"/></p>

If I'm barking up the wrong tree completely here, please forgive me - I'm fairly new to PHP, and it's 5.30 in the bloody morning;)
 
Upvote 0

fisicx

Moderator
Sep 12, 2006
46,946
9
15,514
Aldershot
www.aerin.co.uk
Thanks for the advice. Agree that people can use symbols and if I can get the thing to work I'll add the usual suspects. Allowing any character opens the chance of an SQL attack which is why I am experimenting with the validation.
 
Upvote 0

fisicx

Moderator
Sep 12, 2006
46,946
9
15,514
Aldershot
www.aerin.co.uk
I should that if any one wants the form and associated validation it's a freebie. It has proved very robust over the years, doesn't need and external program or app to male it work and the level of spam is almost zero.
 
  • Like
Reactions: Red Kite
Upvote 0

fisicx

Moderator
Sep 12, 2006
46,946
9
15,514
Aldershot
www.aerin.co.uk
Still can't get it to work so it's a plea for help...

What I want to do is check the whole string for anything other than 0-9, the symbols +-() and a space. If there is a match then the error message asks the user to check their telephone number.

I'm sure it should be something like:

if(preg_match("[^0-9+-() ]",$string'])) $error = "Check your telephone number";

But it doesn't work!

Suggestion please?

PS: I'm not the best programmer in the world, creating forms is about my limit at the moment
 
Upvote 0

fisicx

Moderator
Sep 12, 2006
46,946
9
15,514
Aldershot
www.aerin.co.uk
Thanks Kev but using ctype_digit won't pass the +-() chartacters.

I've been all over the place looking for solutions to no avail. Lots of solutions to check the format of a US number or to strip out the non numerical characters but not to only permit certain combinations. I can get it to validate 0-9, and check for empty strings but I want it to fail the string A1234 but pass +1234. The idea being if your number is +44 (1234) 567890 all will be ok but if you enter ASDF1234$%^& it fails.
 
Upvote 0
K

Kev Jaques

You could split the number out into separate inputs, country code, area code, number, that way you can easily check using is_int or equivalent. If you force the input to always be in the format you want then you can make the checking easier.

comparison examples below - true/false
function another_is_int($a)
{
return ((string) $a) === ((string)(int) $a);
}
or
function is_unsigned_int($val) {
return ctype_digit((string) $value));
}
you will need to do some case tests for various combinations, the idea with the filtering is to remove any dodgy characters from the equation so it doesn't matter if they input garbage, you can then look to combinations.
 
Upvote 0

fisicx

Moderator
Sep 12, 2006
46,946
9
15,514
Aldershot
www.aerin.co.uk
Whooshing way over my head there matey. I understand about splitting the fields but that way too complicated for most of the users in cyber land.

Waht would be the code to simply check for anything other than the numbers 0-9. If I can get that to work it would be a start. Will this do it:

if(preg_match("[^0-9]",$string'])) $error = "Check your telephone number";

I've also been advised that !preg_match means negate - WTF does than mean?
 
Upvote 0
I'm sure it should be something like:

if(preg_match("[^0-9+-() ]",$string'])) $error = "Check your telephone number";

But it doesn't work!

Suggestion please?

Shouldn't some of those characters be escaped? Something like:

0-9\+\- ...

because characters like + have their own meaning in preg_match (+ = required)

Have a look at this tutorial.

You still might be over-validating, what if people want to enter:

home 0207 111111 mobile 07766 111111

or

0207 111111 evenings
 
Last edited:
Upvote 0

fisicx

Moderator
Sep 12, 2006
46,946
9
15,514
Aldershot
www.aerin.co.uk
Oooo you can go off people you know.

I have other validation checkers that don't escape the characters but I will look into this.

Hadn't thought about someone adding letters but this can be accomodated. The real reason for validation is to sanitize the fields. It's fairly easy to use preg_replace to get rid of the iffy characters but I just wanted to provide a bit of feedback to the user if they had had finger trouble.
 
Upvote 0
if(preg_match("[^0-9]",$string'])) $error = "Check your telephone number";

I've also been advised that !preg_match means negate - WTF does than mean?
preg_match returns TRUE if the string passes the match criteria, so you don't want to be outputting errors if preg_match is TRUE, you want to be outputting errors if preg_match returns FALSE (if you are looking for allowable characters)

The ! flips the boolean value of what follows it, and in some ways can be read as boolean logic NOT - so true becomes false and false becomes true

so

if ( !preg_match(...

means in english:

if not a preg_match then..

or more technically:

if the value returned by preg_match negated is true then...

I have set up some samples which demonstrate preg_match for telephone numbers

PHP:
<HTML>
<BODY>
<?php

$string = "02071111111";
echo preg_match( "/^[0-9]+$/", $string );
//OK

$string = "0207 1111111";
echo preg_match( "/^[0-9]+$/", $string );
//FAIL

$string = "0207 1111111";
echo preg_match( "/^[0-9 ]+$/", $string );
 //OK
 
$string = "0207 111-1111";
echo preg_match( "/^[0-9 ]+$/", $string );
//FAIL
 
$string = "0207 111-1111";
echo preg_match( "/^[0-9 \-]+$/", $string );
//OK
 
$string = "(0207) 111-1111";
echo preg_match( "/^[0-9 \-]+$/", $string );
//FAIL
 
$string = "(0207) 111-1111";
echo preg_match( "/^[0-9 \-\(\)]+$/", $string );
//OK
 
$string = "+44 (207) 111-1111";
echo preg_match( "/^[0-9 \-\(\)]+$/", $string );
//FAIL
 
$string = "+44 (207) 111-1111";
echo preg_match( "/^[0-9 \+\-\(\)]+$/", $string );
//OK
 
$string = "home +44 (207) 111-1111 mobile 07766 111.1111";
echo preg_match( "/^[0-9 \+\-\(\)]+$/", $string );
//FAIL
 
$string = "home +44 (207) 111-1111 mobile 07766 111.1111";
echo preg_match( "/^[a-zA-Z0-9_ \+\-\(\)\.]+$/", $string );
//OK
 
$string = "home +44 [207] 111-1111 mobile 07766 111.1111";
echo preg_match( "/^[a-zA-Z0-9_ \+\-\(\)\.]+$/", $string );
//FAIL
 
$string = "home +44 [207] 111-1111 mobile 07766 111.1111";
echo preg_match( "/^[a-zA-Z0-9_ \+\-\[\]\(\)\.]+$/", $string );
//OK
 
$string = "home +44 {207} 111-1111 mobile 07766 111.1111";
echo preg_match( "/^[a-zA-Z0-9_ \+\-\[\]\(\)\.]+$/", $string );
//FAIL
 
$string = "home +44 {207} 111-1111 mobile 07766 111.1111";
echo preg_match( "/^[a-zA-Z0-9_ \+\-\{\}\[\]\(\)\.]+$/", $string );
//OK
 
?>
</BODY>
</HTML>
This actually starts with a test that passes, then introduces something else to the string so that the test fails, so then the test is amended so that it caters for the extra characters and so on, and the php returns:

101010101010101

But it also demonstrates that the more you test for the different characters that real people might enter into a telephone field, you end up allowing so many characters that, IMO, you may as well not perform any character validation on it at all!
 
Last edited:
Upvote 0

fisicx

Moderator
Sep 12, 2006
46,946
9
15,514
Aldershot
www.aerin.co.uk
Thank you muchly. It's given me something to play with this evening.
 
Upvote 0

fisicx

Moderator
Sep 12, 2006
46,946
9
15,514
Aldershot
www.aerin.co.uk
Sorted thanks very much.

It was the "/ and /" that did it.

Note that you don't need to escape the characters in the character class:

preg_match( "/[^0-9-+()]/", $string))

Thanks a million.
 
Upvote 0

Latest Articles

Join UK Business Forums for free business advice