Skip to content

Validation

This document contains examples of Formr's form validation methods and rules.

Retrieving Form Input

validate

The easiest, and most basic way to validate a form. Simply add a comma separated list of your form's labels and Formr will grab all of the form data, perform basic sanitization on it, validate it according to your rules, and put the values into an array.

The only parameter accepts a comma delimited string of form labels and their associated validation rules, wrapped in parentheses, and is required.

Retrieve the form's values

$data = $form->validate('Name, Email Address, Comments, Age');

$name = $data['name'];
$email = $data['email_address'];
$comments = $data['comments'];
$age = $data['age'];

Warning

Notice how our label is named Email Address and our form field is named email_address? This is because Formr will take any spaces in the labels and convert them to an underscore.

In order to perform validation, just add your rules in parentheses after the label. If a label contains the word email, a valid_email validation rule will automatically be applied.

Validate the form's values

$data = $form->validate('Name(min[2]|max[32]), Email Address, Comments, Age(greater_than[17])');

Tip

You can add as many validation rules as you like by separating each rule with a pipe | character.

fastpost

This method works in conjunction with fastform() and is covered in detail on the FastForm Examples page.

post

This method processes and validates form input based upon a series of chained rules, and allows for the most control over your validation.

  1. The required first parameter contains the field name.
  2. The optional second parameter contains human readable text for messages.
  3. The optional third parameter contains the validation rules.

Info

The second parameter will be used for error messages if that field fails validation. It can optionally contain a custom error message string that will be shown if the field is required, yet left empty when submitted.

Info

The form data is passed through PHP's trim() and strip_tags() functions for basic sanitation. If you want to allow HTML in your forms, just add allow_html as a validation rule and only trim() will be applied to the input.

Process form input and assign to variables

$name = $form->post('name');
$email = $form->post('email');

Password is no less than 6 characters and no more than 20

$password = $form->post('password','Password','min[6]|max[20]');

Make sure 'password_conf' matches 'password'

$password_conf = $form->post('password_conf','Password Confirm','matches[password]');

You can assign a human readable version of the field name in the second parameter for better error messages.

Make sure we get a valid email address

$email = $form->post('email','Email','valid_email');

You can create custom error message by adding a pipe character after the name of the form field.

Create a custom error message string

$email = $form->post('email','Email|Please enter your email address','valid_email');

reCAPTCHA

Formr supports Google reCAPTCHA v3, in which no user input is required. Instead Google calculates a score, and if the validation score falls below a certain value (default is 0.5) the validation fails and the form stops processing.

Setting up reCAPTCHA is really easy. First thing you need to do is head over to the reCAPTCHA v3 page and request your keys.

Warning

Make sure you select the reCAPTCHA v3 for the reCAPTCHA type!

Next, add those keys to Formr using the recaptcha_secret_key and recaptcha_site_key properties. You can also change the default score value with the recaptcha_score property.

After that add the $form->recaptcha_head() method to the <head> section of your document, and the $form->recaptcha_body() method right before the closing </body> tag (or anywhere you want to place your JavaScript).

Finally, check if the reCAPTCHA validation passed, or failed, using the recaptcha_passed() method after the form has been submitted.

Adding reCAPTCHA

<!DOCTYPE html>
<?php
    require 'Formr/class.formr.php';
    $form = new Formr\Formr();
    $form->recaptcha_site_key = 'YOUR-SITE-KEY';
    $form->recaptcha_secret_key = 'YOUR-SECRET-KEY';

    if ($form->submitted())
    {
        if (! $form->recaptcha_passed()) {
            $form->error_message('reCAPTCHA Failed');
        }
    }
?>
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Formr reCAPTCHA v3</title>
    <?= $form->recaptcha_head() ?>
</head>
<body>
    <?php
       $form->messages();

       // build your form
       $form->create_form('Name,Email,Comments|textarea');

       // add the reCAPTCHA JavaScript
       $form->recaptcha_body();
    ?>
</body>
</html>

Use cURL for Validation

By default, Formr will use file_get_contents() for verification with Google's servers. You can use cURL instead by setting the recaptcha_use_curl property to TRUE.

$form->recaptcha_use_curl = true;

Validation Rules

The following table contains all validation rules.

Rule/Alias Parameter? Description Example
after No Checks if the given date is after the current date using server time. The form input field must be formatted as YYYY-MM-DD.
allow_html, html No Allows HTML, script tags, etc. Nullifies all other string rules. Use with caution!
alpha No Returns FALSE if the given string contains anything other than alphabetical characters.
alpha_dash, ad No Returns FALSE if the given string contains anything other than alpha-numeric characters, underscores or dashes.
alpha_numeric, an No Returns FALSE if the given string contains anything other than alpha-numeric characters.
before No Checks if the given date is before the current date using server time. The form input field must be formatted as YYYY-MM-DD.
exact_length, exact, el Yes Returns FALSE if the given string is not exactly the parameter value. exact[8]
greater_than, gt Yes Returns FALSE if the given string is less than the parameter value, or is not numeric. gt[8]
greater_than_or_equal, gte Yes Returns FALSE if the given string is less than or equal to the parameter value, or is not numeric. gte[8]
hash No Returns an encrypted string using the password_hash function.
integer, int No Returns FALSE if the given string contains anything other than an integer.
less_than, lt Yes Returns FALSE if the given string is greater than the parameter value or not numeric. lt[8]
less_than_or_equal, lte Yes Returns FALSE if the given string is greater than or equal to the parameter value, or is not numeric. lte[8]
matches Yes Returns FALSE if the given string does not match the one in the parameter. matches[field_name]
max_length, max, ml Yes Returns FALSE if the given string is longer than the parameter value. max[12]
min_length, min Yes Returns FALSE if the given string is shorter than the parameter value. min[6]
md5 No Returns an md5 encrypted string.
not_regex Yes Does not match a user-defined regex. not_regex[/^\d+$/]
numeric No Returns FALSE if the given string contains anything other than numeric characters.
regex Yes Matches a user-defined regex. regex[/[^0-9]/]
required No Returns FALSE if the field is empty.
sha1 No Returns an sha1 encrypted string.
sanitize_email No Passes result through the FILTER_SANITIZE_EMAIL function.
sanitize_int No Passes result through the FILTER_SANITIZE_NUMBER_INT function.
sanitize_string No Passes result through the strip_tags() function.
sanitize_url No Passes result through the FILTER_SANITIZE_URL function.
slug No Creates a Twitter-style username string containing only letters, numbers and underscores.
strip_numeric No Strips out everything but numbers.
valid_email, email No Returns FALSE if the supplied string does not contain a valid email address.
valid_ip, ip No Returns FALSE if the supplied string is not a valid IP address.
valid_url, url No Returns FALSE if the supplied string is not formatted as a URL.