• If you are using PHP to handle form input data - and let's face it, you probably will do some day if you are not already - make sure you do not make any assumptions about the reliability of the data. Remember, it came from users, and we do not trust users, now, do we?

  • If you are inserting form data into your database, make sure you pass it through mysqli_real_escape_string() first..

  • While client-side validation is a nice addition, you must not rely upon it to produce validated data as it can easily be disabled.

  • Users already have a hard enough time before they get in contact with your forms, so do not make them more complicated than they need to be. Split forms across pages if possible, keep selections to a minimum, lay options out neatly using HTML tables, and mark required fields clearly.


Want to learn PHP 7?

Hacking with PHP has been fully updated for PHP 7, and is now available as a downloadable PDF. Get over 1200 pages of hands-on PHP learning today!

If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: Exercises >>

Previous chapter: Form design

Jump to:


Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.