PHP Basics · Chapter 17 · Forms & Validation
PHP Forms & Validation
Complete Guide in Hindi
PHP Form Handling की पूरी जानकारी — $_POST/$_GET, form validation, sanitization, CSRF protection, custom Validator class। Real examples के साथ।
$_POSTForm data — body में
$_GETURL parameters
filter_varBuilt-in validation
CSRFToken से protect
📋 इस Article में क्या-क्या है
- $_POST और $_GET
- $_REQUEST और $_SERVER
- Sanitization — Input Clean करना
- Validation — Input Check करना
- filter_var() Functions
- CSRF Protection
- Common Form Examples
- Validator Class (OOP)
- File Upload Validation
- Complete Registration Form
1
$_POST और $_GET — Form Data कहाँ आती है?
$_POST — Form data जो HTTP body में आती है (method="POST")। Passwords, sensitive data। $_GET — URL में आती है (?key=value)। Search, pagination, filters।
| Feature | $_POST | $_GET |
|---|---|---|
| Data location | HTTP Body | URL (?key=val) |
| Visible | ❌ नहीं | ✅ URL में दिखती है |
| Size limit | 8MB+ (php.ini) | ~2000 chars |
| Bookmark | ❌ नहीं | ✅ URL bookmark होती है |
| Use case | Login, register, forms | Search, filter, pagination |
| Cache | ❌ नहीं | ✅ Browser cache करता है |
$_POST और $_GET — BASIC USAGE
<?php// HTML Form — method POST
// <form method="POST" action="process.php">
// <input name="naam"><input name="email">
// </form>
// $_POST — form values access
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$naam = $_POST["naam"] ?? "";
$email = $_POST["email"] ?? "";
echo "नाम: $naam, Email: $email";
}
// $_GET — URL parameters
// URL: search.php?q=php&page=2
$query = $_GET["q"] ?? "";
$page = $_GET["page"] ?? 1;
echo "Search: $query, Page: $page";
// isset vs ?? (null coalescing)
// Old: isset($_POST['naam']) ? $_POST['naam'] : ''
// New: $_POST['naam'] ?? '' ← prefer this
?>
2
$_REQUEST और $_SERVER — Extra Superglobals
$_SERVER — Useful Variables
<?php// Request method check
echo $_SERVER["REQUEST_METHOD"]; // GET, POST, PUT...
// Current URL info
echo $_SERVER["HTTP_HOST"]; // example.com
echo $_SERVER["REQUEST_URI"]; // /path?query=val
echo $_SERVER["SCRIPT_NAME"]; // /index.php
echo $_SERVER["DOCUMENT_ROOT"]; // /var/www/html
// User info
echo $_SERVER["REMOTE_ADDR"]; // User IP
echo $_SERVER["HTTP_USER_AGENT"]; // Browser info
echo $_SERVER["HTTP_REFERER"]; // Previous page URL
// HTTPS check
$isHttps = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] !== "off";
?>
⚠️ $_REQUEST मत use करो: $_POST + $_GET + $_COOKIE तीनों मिलाता है। Security risk — attacker GET से POST values override कर सकता है। हमेशा explicitly $_POST या $_GET use करो।
3
Sanitization — Input Clean करना
SANITIZATION — COMMON TECHNIQUES
<?php$raw = " <script>alert('xss')</script> Rahul Kumar ";
// 1. trim — spaces हटाओ
echo trim($raw);
// 2. htmlspecialchars — XSS रोको (output पर)
echo htmlspecialchars($raw, ENT_QUOTES, "UTF-8");
// <script> → <script>
// 3. strip_tags — HTML tags हटाओ
echo strip_tags($raw); // script tag gone
// 4. filter_var — built-in sanitize
echo filter_var(" rahul@gmail.com ", FILTER_SANITIZE_EMAIL);
echo filter_var("₹1,299.50", FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
// 1299.50
// 5. Reusable sanitize function
function sanitize(string $input): string {
return htmlspecialchars(strip_tags(trim($input)), ENT_QUOTES, "UTF-8");
}
// 6. Array sanitize
function sanitizeAll(array $data): array {
return array_map("sanitize", $data);
}
$clean = sanitizeAll($_POST); // सब fields sanitize
?>
💡 Rule: htmlspecialchars() output पर (HTML में display करते समय)। strip_tags() input पर (store करने से पहले)। Database के लिए Prepared Statements — कभी direct string concat नहीं।
4
Validation — Input Check करना
VALIDATION — COMMON RULES
<?php$errors = [];
// Required field
if (empty(trim($naam))) {
$errors["naam"] = "नाम ज़रूरी है";
}
// Minimum length
if (strlen($naam) < 3) {
$errors["naam"] = "नाम कम से कम 3 characters";
}
// Email validate
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$errors["email"] = "Valid email दर्ज करें";
}
// Mobile number — Indian
if (!preg_match("/^[6-9]\d{9}$/", $mobile)) {
$errors["mobile"] = "Valid 10-digit mobile number";
}
// Numeric range
$age = (int) ($_POST["age"] ?? 0);
if ($age < 18 || $age > 100) {
$errors["age"] = "Age 18-100 के बीच होनी चाहिए";
}
// URL validate
if (!filter_var($website, FILTER_VALIDATE_URL)) {
$errors["website"] = "Valid URL दर्ज करें";
}
// Password strength
if (strlen($password) < 8) {
$errors["password"] = "Password कम से कम 8 characters";
} elseif (!preg_match("/(?=.*[A-Z])(?=.*[0-9])/", $password)) {
$errors["password"] = "Password में एक uppercase और एक number ज़रूरी";
}
// Confirm password match
if ($password !== ($_POST["confirm_password"] ?? "")) {
$errors["confirm_password"] = "Passwords match नहीं करते";
}
// Result check
if (empty($errors)) {
echo "✅ All valid — proceed!";
} else {
print_r($errors);
}
?>
5
filter_var() — Built-in Validation Functions
| Filter | Validate करता है | Example |
|---|---|---|
| FILTER_VALIDATE_EMAIL | Email format | user@example.com |
| FILTER_VALIDATE_URL | URL format | https://example.com |
| FILTER_VALIDATE_IP | IP address | 192.168.1.1 |
| FILTER_VALIDATE_INT | Integer | 42, -5 |
| FILTER_VALIDATE_FLOAT | Float number | 3.14 |
| FILTER_VALIDATE_BOOLEAN | Boolean | true/false/1/0 |
| FILTER_SANITIZE_EMAIL | Email clean करो | Illegal chars remove |
| FILTER_SANITIZE_URL | URL clean करो | Illegal chars remove |
| FILTER_SANITIZE_NUMBER_INT | Integers रखो | Digits only |
| FILTER_SANITIZE_SPECIAL_CHARS | HTML entities encode | XSS protection |
filter_var() — EXAMPLES
<?php// Validate
var_dump(filter_var("rahul@gmail.com", FILTER_VALIDATE_EMAIL)); // string
var_dump(filter_var("not-email", FILTER_VALIDATE_EMAIL)); // false
var_dump(filter_var("https://hnp.com", FILTER_VALIDATE_URL)); // string
var_dump(filter_var("42", FILTER_VALIDATE_INT)); // "42"
var_dump(filter_var("abc", FILTER_VALIDATE_INT)); // false
// Range check with options
$age = filter_var(25, FILTER_VALIDATE_INT, [
"options" => ["min_range" => 18, "max_range" => 100]
]);
var_dump($age); // 25 — valid
// Multiple input validate — filter_input_array
$rules = [
"email" => FILTER_VALIDATE_EMAIL,
"age" => FILTER_VALIDATE_INT,
"website"=> FILTER_VALIDATE_URL,
];
$valid = filter_input_array(INPUT_POST, $rules);
?>
6
CSRF Protection — Token से Form Secure करना
CSRF TOKEN — GENERATE & VERIFY
<?php// Token generate करो (form show करते समय)
function generateCSRFToken(): string {
session_start();
if (empty($_SESSION["csrf_token"])) {
$_SESSION["csrf_token"] = bin2hex(random_bytes(32));
}
return $_SESSION["csrf_token"];
}
// Token verify करो (form submit होने पर)
function verifyCSRFToken(string $token): bool {
session_start();
if (empty($_SESSION["csrf_token"])) return false;
return hash_equals($_SESSION["csrf_token"], $token); // Timing-safe compare
}
// Form में use
?>
<form method="POST">
<input type="hidden" name="csrf_token" value="<?= generateCSRFToken() ?>">
<input type="text" name="naam">
<button>Submit</button>
</form>
<?php
// Submit process करते समय
if ($_SERVER["REQUEST_METHOD"] === "POST") {
if (!verifyCSRFToken($_POST["csrf_token"] ?? "")) {
http_response_code(403);
die("❌ CSRF Token Invalid!");
}
// ✅ Token valid — form process करो
unset($_SESSION["csrf_token"]); // One-time use
}
?>
7
Common Form Elements — Handling
CHECKBOXES, RADIO, SELECT, TEXTAREA
<?php// Checkbox — isset से check
$newsletter = isset($_POST["newsletter"]) ? 1 : 0;
$termsAccepted = isset($_POST["terms"]);
if (!$termsAccepted) {
$errors["terms"] = "Terms accept करना ज़रूरी है";
}
// Multiple checkboxes — array
// <input type="checkbox" name="skills[]" value="PHP">
// <input type="checkbox" name="skills[]" value="MySQL">
$skills = $_POST["skills"] ?? [];
$skills = array_filter($skills, fn($s) => in_array($s, ["PHP", "MySQL", "JS"])); // whitelist
// Radio button
$gender = $_POST["gender"] ?? "";
$validGenders = ["male", "female", "other"];
if (!in_array($gender, $validGenders)) {
$errors["gender"] = "Valid gender select करें";
}
// Select dropdown
$city = $_POST["city"] ?? "";
$validCities = ["Delhi", "Mumbai", "Kolkata", "Chennai"];
if (!in_array($city, $validCities)) {
$errors["city"] = "Valid city select करें";
}
// Textarea
$message = trim($_POST["message"] ?? "");
if (strlen($message) > 1000) {
$errors["message"] = "Message 1000 characters से ज़्यादा नहीं";
}
?>
8
Validator Class — Reusable OOP Validation
VALIDATOR CLASS — Fluent Interface
<?phpclass Validator {
private array $errors = [];
private array $data;
public function __construct(array $data) {
$this->data = array_map(fn($v) => is_string($v) ? trim($v) : $v, $data);
}
public function required(string $field, string $label = ""): static {
if (empty($this->data[$field] ?? "")) {
$this->errors[$field] = ($label ?: $field) . " ज़रूरी है";
}
return $this;
}
public function minLength(string $field, int $min): static {
if (!isset($this->errors[$field]) && strlen($this->data[$field] ?? "") < $min) {
$this->errors[$field] = "कम से कम $min characters";
}
return $this;
}
public function email(string $field): static {
$val = $this->data[$field] ?? "";
if (!isset($this->errors[$field]) && !filter_var($val, FILTER_VALIDATE_EMAIL)) {
$this->errors[$field] = "Valid email दर्ज करें";
}
return $this;
}
public function matches(string $field, string $other): static {
if (($this->data[$field] ?? "") !== ($this->data[$other] ?? "")) {
$this->errors[$field] = "$field और $other match नहीं करते";
}
return $this;
}
public function passes(): bool { return empty($this->errors); }
public function fails(): bool { return !empty($this->errors); }
public function errors(): array { return $this->errors; }
}
// Usage — clean fluent interface
$v = new Validator($_POST);
$v->required("naam", "नाम") ->minLength("naam", 3)
->required("email", "Email") ->email("email")
->required("password", "Password")->minLength("password", 8)
->matches("password", "confirm_password");
if ($v->fails()) {
print_r($v->errors());
} else {
echo "✅ Valid — register करो!";
}
?>
9
Complete Registration Form — Full Example
COMPLETE FORM — register.php
<?phpsession_start();
$errors = [];
$success = false;
$old = []; // Old input — errors पर refill
if ($_SERVER["REQUEST_METHOD"] === "POST") {
// CSRF check
if (!hash_equals($_SESSION["csrf_token"] ?? "", $_POST["csrf_token"] ?? "")) {
die("❌ CSRF Token Invalid");
}
// Input sanitize
$naam = ucwords(strtolower(trim($_POST["naam"] ?? "")));
$email = strtolower(trim($_POST["email"] ?? ""));
$mobile = preg_replace("/[^0-9]/", "", $_POST["mobile"] ?? "");
$password = $_POST["password"] ?? "";
$confirm = $_POST["confirm"] ?? "";
$old = compact("naam", "email", "mobile");
// Validate
if (strlen($naam) < 3) $errors["naam"] = "नाम कम से कम 3 characters";
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) $errors["email"] = "Valid email दर्ज करें";
if (!preg_match("/^[6-9]\d{9}$/", $mobile)) $errors["mobile"] = "Valid mobile number";
if (strlen($password) < 8) $errors["password"] = "Password 8+ characters";
if ($password !== $confirm) $errors["confirm"] = "Passwords match नहीं करते";
if (empty($errors)) {
// DB में save करो (Ch.14 PDO)
$result = registerUser(getDB(), $naam, $email, $password);
if ($result["success"]) {
setFlash("success", "✅ Registration successful!");
header("Location: login.php"); exit;
} else {
$errors["email"] = "Email already registered";
}
}
}
?>
<!-- HTML Form -->
<form method="POST">
<input type="hidden" name="csrf_token" value="<?= generateCSRFToken() ?>">
<input type="text" name="naam"
value="<?= htmlspecialchars($old["naam"] ?? "") ?>">
<?php if (isset($errors["naam"])) echo "<span class='error'>{$errors['naam']}</span>"; ?>
<input type="email" name="email"
value="<?= htmlspecialchars($old["email"] ?? "") ?>">
<?php if (isset($errors["email"])) echo "<span>{$errors['email']}</span>"; ?>
<input type="password" name="password">
<input type="password" name="confirm">
<button type="submit">Register</button>
</form>
Pattern: CSRF check → Sanitize input → Validate → DB save → Flash + Redirect। Errors पर old values refill करो।
✓
निष्कर्ष
Form handling PHP web development का सबसे ज़रूरी हिस्सा है। हर user input suspect मानो — sanitize, validate, फिर process।
Never trust user input — $_POST/$_GET हमेशा sanitize और validate करो।
Sanitize = clean (trim, htmlspecialchars)। Validate = check (filter_var, preg_match)।
CSRF token — हर form में। hash_equals() से timing-safe compare।
$_REQUEST — Use मत करो। Explicitly $_POST या $_GET use करो।
Old values — Error पर form refill करो — user-friendly experience।
Validator class — Reusable, fluent interface। Whitelist validation for select/radio/checkbox।
🚀 अगला Chapter: Chapter 18: PHP Error Handling — try/catch, Exceptions, Custom Exceptions।