Sunday, April 12, 2015

Validation and error handling points

I have been writing a form today to send off emails with a PHP back-end. All day I have been dealing with validation and trying to cover all the bases (so all your bases remain belonging to YOU).

Things to keep in mind when validating data.

  1. Presence - if the field is mandatory, validate that it has a value.
    1. Always give some visual way of marking a field as mandatory.
  2. Size - check the size of the input i.e. that it is less than a certain number of characters.
    1. Do this for all values, whether they are coming from an input, text area, checkbox or radio button. One way a site can be attacked is for a malicious sender to ignore your HTML form and POST their own massive values.
  3. Escape and sanitise data before you use it to prevent cross site scripting or SQL injection attacks. Do this before you:
    1. Save to a DB.
    2. Output back to HMTL.
    3. Write to a file.
    4. Send to an email.
    5. Send it to another part of your back-end for further processing.
  4. Type - check that an input is an integer or double or boolean as required.
  5. Format - check that input matches a required format, like a phone number or email etc.
    1. Can be helped by using input masks, but you still need to validate that the data you received matches the mask on the server side.
  6. Value - check input against your own business logic. For example:
    1. Is a number within a given range.
    2. Does the string match an element in a known list of choices.
  7. Related - apply any validation that requires examining multiple fields. For example, if country, state and postcode are given, make sure that they are a valid combination.
  8. Server side first.
    1. Client side validation is often easier, but server side validation is more important because javascript can be disabled or ignored completely if a malicious sender simply POSTS their own requests.
    2. Consider how to return errors in a such a way that they can be easily communicated back to the user on the interface.
  9. Client side second
    1. While server side is more important, client side validation makes for a faster and more responsive user experience because you can point out errors before the user ever hits SEND.
    2. Consider things such as how to present errors to users and how mark things like dynamic business rules (where field A is only mandatory if field B is given a value).