Never trust client-side validation alone. Server-side validation is authoritative—bots bypass JavaScript.
Validation checklist
- Read input from the correct superglobal
- Normalize (trim strings, cast numbers)
- Validate format and business rules
- Collect errors per field
- Re-render form with errors or process on success
Example rules
- Required fields present and non-empty after trim
- Email, URL, int ranges via
filter_var - Enum-like values whitelisted (
in_array($role, ['user','admin'], true)) - CSRF token on state-changing POST (frameworks provide helpers)
Error array pattern
$errors = [];
if ($email === false) {
$errors['email'] = 'Invalid email address.';
}Self-check
- Why whitelist allowed roles instead of blocking bad ones?
- Where should validation run—browser or server?
Tip: Collect field errors in an associative array and re-render the form—users fix all issues in one pass.