I've been doing a lot of thinking on form validation recently. Among other
things, I want to be using a standard set of tools for validating form input
at work; I'm also rewriting the family website in PHP, and want to have
consistency there as well. Finally, I truly buy into Chris Shiflett's top two security practices:
filter input, escape output. Validation should always be done, and should be
done rigorously; don't allow anything more than is necessary to get the work
done.
I flirted briefly in the past month with HTML_QuickForm.
Being an observer on the CGI::Application mailing lists, HQF looks like
PHP's answer to perl's Data::FormValidator.
HQF has a high frequency of posts on the php-pear-general lists. A lot of
people seem happy with it. I decided to try it out as an example plugin for
Cgiapp for the latest release.
My problem is that I want to be able to define form validation in a file
outside my script. The reason for this is that as I extend and reuse
classes, I often find that I can use the same general run-modes for a
method... just so long as the form validation logic is separate. This allows
me, for instance, to decide that in one application instance I will require
fields A-M, but in another, I only need A-E (or vice versa). But it requires
no changes to the actual application logic, as the validations are kept
separately, and I have the application instance indicate which validation
file to utilize.
