Ajax and PHP Based Input Filter
This is an example web page. It gives you a sample of how you can do input validation on every character typed by users. And every incorrect character will result in an error message that will go away as soon as valid characters are typed. The two other main ways to deal with filtering and validation are giving error messages after the entire input is done, which forces them to retype their input, and filtering out invalid characters so that their input is secure and accurate according to your rules, but they won't get to see their final input if they've typed wrong characters—they'll have the impression their input was accepted as is—although there is no reason you cannot warn them about your filtering. Anyway, there's something to be said for instant feedback.
The reason we created this page is to show the code involved in this type of validation. When you type, the onKeyUp() event runs the Ajax prompt() script which takes the input box's current value and uses xmlhtml to send it as a query string from your browser to the ajax-and-php-input-filter.php script on the server where it gets saved as $final but then only the string's last character is analyzed. If the latest character is invalid, you get a message reminding you of the valid characters. This gives you the opportunity to Backspace to dump the bad entry. If you choose to leave it, that's okay too—in THIS script. The $final string represents what's in the box, with only warning filters applied, not deletion filters. It would be easy to wait until the Submit button was clicked and run
$final=preg_replace("/[^a-zA-Z0-9\\s\\_]/", "", $final) so the bad characters are filtered out. There's no Submit button here since our point is to illustrate the use of Ajax and PHP to filter/validate via warnings. In a real website, you will surely want to add the preg_replace() function to clean their input. The main rule of input validation, because of security issues, is to suspect ALL input!
Type input. Rule: only alphanumerics, space and underscore are OK.
Help:
The relevant code on this page:
<P><B>
<script type="text/javascript">
function prompt(str){
if (str.length==0){document.getElementById("prompt").innerHTML="";return;}
document.getElementById("prompt").innerHTML="";
if (window.XMLHttpRequest){// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}else{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");}
xmlhttp.onreadystatechange=function(){
if (xmlhttp.readyState==4 && xmlhttp.status==200){
document.getElementById("prompt").innerHTML=xmlhttp.responseText;}}
xmlhttp.open("GET","ajax-and-php-input-filter.php?q="+str,true);xmlhttp.send();}
</script>
</B></P>
<P><B>
<div class='k'><p><b>Type input. Rule: only alphanumerics, space and underscore are OK.</b></p>
<form>
Insult: <input type="text" onkeyup="prompt(this.value)" size="20" />
</form>
<p>Prompt: <span id="prompt"></span></p></div>
<p>The ajax-and-php-input-filter.php file:</p>
<?php
$z=$_GET["q"];$final=$z;
if (strlen($z) > 0){$z=substr($z,-1);
$prompt="";
if(preg_match('/[^a-zA-Z0-9\\s\\_]/', $z)){$prompt="Please enter only letters, numbers, underscores, or spaces.";}
echo $prompt;}
?>