PHP Form Validation

Form validation is one of the major parts of web development in PHP. A PHP form is vulnerable to several threats, especially during the submission. If the forms are not submitted securely then unwanted viruses and malware can harm the PHP host server and database.

Read Also: PHP Form Handling

Form Validation in PHP

The Required field will check whether the field is filled or not in the proper way. In most cases, we will use the * symbol for the required field.

Pictorial representation


What is Validation?

Validation checks if the information submitted by the user complies with the requirements specified in the form and is correct. There are two types of validation:

  •      Client-Side validation− The client-side validation is performed on the client machine web browsers.
  •      Server-Side validationAfter submitting the data, it is sent to a server and where it undergoes another round of validation by the server machine.
FieldValidation Rules
NameRequired. + Must only contain letters and whitespace
E-mailRequired. + Must contain a valid email address (with @ and .)
WebsiteOptional. If present, it must contain a valid URL
CommentOptional. Multi-line input field (text area)
GenderRequired. Must select one anyone but not multiple
RadioMust be selectable at least once
CheckBoxMust be checkable at least once
Drop-Down menuMust be selectable at least once

An HTML form contains many input fields such as text box, checkbox, radio buttons, submit button, and checklist. The input fields need to be validated, which specifies that the user has entered information in all the required fields that are valid and correct.

General Form Validations in PHP

The details provided by the user don’t need to be always correct. PHP validates the data which is submitted by HTML form. We need to validate a few things on the server-side:

  1. Empty String
  2. Validate String
  3. Validate Numbers
  4. Validate Email
  5. Validate URL
  6. Input length

Empty String

The block of code below checks that the field is not empty. If the user skips the required field empty, it will generate an error message.

if ( empty ($_POST["name"])){

    $errMsg = "Error! You didn't enter the Name.";

    echo $errMsg;


    $name = $_POST["name"];


Validate String

The block of code below checks if the input field contains only alphabets and whitespace. If the name field does not get the valid input from the user, then it will generate an error message

$name = $_POST ["Name"];

if (!preg_match ("/^[a-zA-z]*$/", $name) ){

    $ErrMsg = "Only alphabets and whitespace are allowed.";

    echo $ErrMsg;


    echo $name;


Validate Number

The block of code below validates that the field will only contain a numeric value. If the Mobile no doesn’t receive numeric data from the user, the code will generate an error message:

$mobileno = $_POST ["Mobile_no"];

if (!preg_match ("/^[0-9]*$/", $mobileno) ){

    $ErrMsg = "Only numeric value is allowed.";

    echo $ErrMsg;


    echo $mobileno;


Validate Email

The valid email must contain @ &. Symbols. PHP provides various methods to validate the email address. Now we will use regular expressions to validate the email address.

The below block of code validates the email address. If the email is not valid, then the code will generate an error message:

$email = $_POST ["Email"];

$pattern = "^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$^";

if (!preg_match ($pattern, $email) ){

    $ErrMsg = "Email is not valid.";

    echo $ErrMsg;


    echo "Your valid email address is: " .$email;


Input Length Validation

The input length validation allows the user to provide the value between the specified range. For example, a valid mobile number must have ten digits.

$mobileno = strlen ($_POST ["Mobile"]);

$length = strlen ($mobileno);

if ( $length < 10 && $length > 10){

    $ErrMsg = "Mobile must have 10 digits.";

    echo $ErrMsg;


    echo "Your Mobile number is: " .$mobileno;


Validate URL

The below block of code validates the URL of the website. If the URL is not valid, it will generate an error message.

$websiteURL = $_POST["website"];

if (!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$website)){

    $websiteErr = "URL is not valid";

    echo $websiteErr;


    echo "Website URL is: " .$websiteURL;


Button Click Validate

The below block of code validates that the user clicks on the submit button and sends the form data to the server using one of the following methods – GET or POST.

if (isset ($_POST['submit']){

    echo "Submit button is clicked.";

    if ($_SERVER["REQUEST_METHOD"] == "POST"){

        echo "Data is sent using POST method ";



    echo "Data is not submitted";


Now we will apply all these validations to an HTML form to validate the fields.

Simple PHP Registration Form Validation

<!DOCTYPE html>		




.error {color: #FF0001;}		





// define variables to empty values		

$nameErr = $emailErr = $mobilenoErr = $genderErr = $websiteErr = $hobbyErr = "";		

$name = $email = $mobileno = $gender = $website = $hobby = "";		

//Input fields validation		


	//String Validation		

	if (empty($_POST["name"])){		
	    $nameErr = "Name is required";		
	} else {		
	    $name = input_data($_POST["name"]);		

		 	 // check if name only contains letters and whitespace		

		 	 if (!preg_match("/^[a-zA-Z ]*$/",$name)) { 
	        $nameErr = "Only alphabets and white space are allowed";		
	//Email Validation	 	
	if (empty($_POST["email"])) {		
	   $emailErr = "Email is required";		
	} else {
	   $email = input_data($_POST["email"]);		

		 	 // check that the e-mail address is well-formed		

		 	 if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { 
	        $emailErr = "Invalid email format";		


	//Number Validation		
	if (empty($_POST["mobileno"])) {
	   	$mobilenoErr = "Mobile no is required";		
	} else {
	    $mobileno = input_data($_POST["mobileno"]);	
		   // check if mobile no is well-formed		
	    if (!preg_match ("/^[0-9]*$/", $mobileno) ) { 
	        $mobilenoErr = "Only numeric value is allowed.";		

	    //check mobile no length should not be less and greater than 10		

		 		if (strlen ($mobileno) != 10) {		

		 		    $mobilenoErr = "Mobile no must contain 10 digits.";		



	//URL Validation	 	 		

	if (empty($_POST["website"])){

 		$website = "";		


		$website = input_data($_POST["website"]);	

		// check if URL address syntax is valid		

		if (!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$website)){

		 	$websiteErr = "Invalid URL";


	//Empty Field Validation		

	if (empty ($_POST["gender"])){

		$genderErr = "Gender is required";		


		$gender = input_data($_POST["gender"]);		


	//Checkbox Validation		

	if (!isset($_POST['hobbies'])){		

		$hobbyErr = "You must select hobby.";		


		$hobby = input_data($_POST["hobbies"]);	



function input_data($data){

	$data = trim($data);		

	$data = stripslashes($data);		

	$data = htmlspecialchars($data);		

	return $data;



<h2>Registration Form</h2>		

<span class = "error">* required field </span>		


<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" >	 		


	<input type="text" name="name">		

	<span class="error">* <?php echo $nameErr; ?> </span>	



	<input type="text" name="email">		

	<span class="error">* <?php echo $emailErr; ?> </span>	


	Mobile No:		

	<input type="text" name="mobileno">		

	<span class="error">* <?php echo $mobilenoErr; ?> </span>	



	<input type="text" name="website">		

	<span class="error"><?php echo $websiteErr; ?> </span>		



	<input type="radio" name="gender" value="male"> Male		

	<input type="radio" name="gender" value="female"> Female		

	<input type="radio" name="gender" value="other"> Other		

	<span class="error">* <?php echo $genderErr; ?> </span>	



	<input type="checkbox" name="hobbies" value="Reading"> Reading	

	<input type="checkbox" name="hobbies" value="Writing"> Writing	

	<input type="checkbox" name="hobbies" value="Playing"> Playing	

	<span class="error">* <?php echo $hobbyErr; ?> </span>	


	<input type="submit" name="submit" value="Submit">




	if(isset($_POST['submit']))	{

		if($nameErr == "" && $emailErr == "" && $mobilenoErr == "" && $genderErr == "" && $websiteErr == "" && $hobbyErr == ""){

			echo "<h3 color = #FF0001> <b>You have sucessfully registered.</b> </h3>";		

			echo "<h2>Your Input:</h2>";		

			echo "Name: " .$name;		

			echo "<br>";		

			echo "Email: " .$email;		

			echo "<br>";		

			echo "Mobile No: " .$mobileno;		

			echo "<br>";		

			echo "Website: " .$website;		

			echo "<br>";		

			echo "Gender: " .$gender;		

			echo "<br>";	

			echo "Hobby: " .$hobby;
		} else {		

			echo "<h3> <b>You didn't filled up the form correctly.</b> </h3>";		







Registration form before submission

Registration form

Registration form after submission

Registration Form output

Read More: Required Fields in PHP Form


Form validation is important to prevent malicious users from abusing web forms. Improper form validation can lead to multiple threats and vulnerabilities of the network. Attacks like Cross-site scripting or SQL injection become common. Therefore, having a clear understanding of how to validate a form is essential. 

We hope you have been able to understand the article. If you want to understand the other concepts of PHP programming, do refer to the PHP Tutorial and PHP MySQL sections. Happy Learning 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *