Risky Jobs lets users submit resumes

Riskyjobs.biz has grown. The company now lets job seekers enter their resumes and contact information into a web form so that our Risky Jobs employers can find them more easily. Here’s what the form looks like:

Our job seeker information is stored in a table that can be searched by employers, recruiters, and headhunters to identify potential new employees. But there’s a problem... the data entered into the form apparently can’t be trusted!

You can fix some data with string functions but they don’t help much when data must fit a very specific pattern.

String functions are well suited to simple find-and-replace operations. For example, if users submitted their phone numbers using dots to separate the blocks of digits instead of hyphens, we could easily write some str_replace() code to substitute in hyphens in their place

But for anything that we can’t possibly know, like the area code of Jimmy Swift’s phone number, we need to ask the person who submitted the form to clarify. And the only way we can know that he’s missing an area code is to understand the exact pattern of a phone number. What we really need is more advanced validation to ensure that things like phone numbers and email addresses are entered exactly right.

String functions really aren’t useful for more than the most primitive of data validation.

Think about how you might attempt to validate an email address using string functions. PHP has a function called strlen() that will tell you how many characters are in a string. But there’s no predefined character length for data like email addresses. Sure, this could potentially help with phone numbers because they often contain a consistent quantity of numbers, but you still have the potential dots, dashes, and parentheses to deal with.

Getting back to email addresses, their format is just too complex for string functions to be of much use. We’re really looking for specific patterns of data here, which requires a validation strategy that can check user data against a pattern to see if it’s legit. Modeling patterns for your form data is at the heart of this kind of validation.

Decide what your data should look like

Our challenge is to clearly specify exactly what a given piece of form data should look like, right down to every character. Consider Jimmy’s phone number. It’s pretty obvious to a human observer that his number is missing an area code. But form validation isn’t carried out by humans; it’s carried out by PHP code. This means we need to “teach” our code how to look at a string of data entered by the user and determine if it matches the pattern for a phone number.

Coming up with such a pattern can be a challenge, and it involves really thinking about the range of possibilities for a type of data. Phone numbers are fairly straightforward since they involve 10 digits with optional delimiters. Email addresses are a different story, but we’ll worry about them a bit later in the chapter.

There are some things we know for sure about phone numbers, and we can use those things to make rules.

First, they can’t begin with 1 (long distance) or 0 (operator). Second, there should be 10 digits. And even though some people might have clever ways to represent their phone numbers with letters, phone numbers are esentially numbers—10 digits when we include an area code.

Formulate a pattern for phone numbers

To go beyond basic validation, such as empty() and isset(), we need to decide on a pattern that we want our data to match. In the case of a phone number, this means we need to commit to a single format that we expect to receive from the phone field in our form. Once we decide on a phone number format/pattern, we can validate against it.

Following is what is likely the most common phone number format in use today, at least for domestic U.S. phone numbers. Committing to this format means that if the phone number data users submit doesn’t match this, the PHP script will reject the form and display an error message.

Match patterns with regular expressions

PHP offers a powerful way to create and match patterns in text. You can create rules that let you look for patterns in strings of text. These rules are referred to as regular expressions, or regex for short. A regular expression represents a pattern of characters to match. With the help of regular expressions, you can describe in your code the rules you want your strings to conform to in order for a match to occur.

As an example, here’s a regular expression that looks for 10-digits in a row. This pattern will only match a string that consists of a 10 digit number. If the string is longer or shorter than that, it won’t match. If the string contains anything but numbers, it won’t match. Let’s break it down.

There’s also a more concise way of writing this same regular expression, which makes use of curly braces. Curly braces are used to indicate repetition:

Regular expressions are rules used to match patterns in one or more strings.

It’s true, regular expressions are cryptic and often difficult to read... but they are very powerful.

Power often comes at a cost, and in the case of regular expressions, that cost is learning the cryptic syntax that goes into them. You won’t become a master of regular expressions overnight, but the good news is you don’t have to. You can do some amazingly powerful and useful things with regular expressions, especially when it comes to form field validation, with a very basic knowledge of regular expressions. Besides, the more you work with them and get practice breaking them down and parsing them, the easier they’ll be to understand.

Build patterns using metacharacters

Being able to match digits in a text string using \d is pretty cool, but if that’s all the functionality that regular expressions provided, their use would be sorely limited. Just matching digits isn’t even going to be enough for Risky Jobs phone number validation functionality, as we’re going to want to be able to match characters like spaces, hyphens, and even letters.

Luckily, PHP’s regex functionality lets you use a bunch more special expressions like \d to match these things. These expresions are called metacharacters. Let’s take a look at some of the most frequently used regex metacharacters.

Metacharacters let us describe patterns of text within a regular expression.

These metacharacters are cool, but what if you really want a specific character in your regex? Just use that character in the expression. For example, if you wanted to match the exact phone number “707-827-7000”, you would use the regex /707-827-7000/.

Who Does What?

Match each different phone number regular expression with the phone number that it matches.

Regex	String it matches
`/^\d{3}\s\d{7}$/`	5556364652
`/^\d{3}\s\d{3}\s\d{4}$/`	555 636 4652
`/^\d{3}\d{3}-\d{4}$/`	555636-4652
`/^\d{3}-\d{3}-\d{4}$/`	555 ME NINJA
`/^\d{3}\s\w\w\s\w{5}$/`	555 6364652
`/^\d{10}$/`	555-636-4652

Yes, but the key is to specify such a pattern as optional in your regular expression.

If we changed our regex to /^d{3}-\d{3}-\d{4}-d{4}$/, we’d be requiring our string to have a four-digit extension at the end, and we’d no longer match phone numbers like “555-636-4652”. But we can use regular expressions to indicate that parts of the string are optional. Regexes support a feature called quantifiers that let you specify how many times characters or metacharacters should appear in a pattern. You’ve actually already seen quantifiers in action in regexes like this:

Here, curly braces act as a quantifier to say how many times the preceding digit should appear. Let’s take a look at some other frequently used quantifiers.

A quantifier specifies how many times a metacharacter should appear.

So, if we wanted to match those optional digits at the end of our phone number, we could use the following pattern:

You’re absolutely right. 0 connects you to an operator, and 1 dials long distance.

We simply want the area code and number. We need to make sure the first digit is not 1 or 0. And to do that, we need a character class.

Character classes let you match characters from a specific set of values. You can look for a range of digits with a character class. You can also look for a set of values. And you can add a caret to look for everything that isn’t in the set.

To indicate that a bunch of characters or metacharacters belongs to a character class, all you need to do is surround them by square brackets, []. Let’s take a look at a few examples of character classes in action:

[0-2]

This matches a range of numbers. It will match 0, 1, or 2.

[^b-f]

Note

In a character class, the ^ means “don’t match”.

This carat has a different meaning when it’s used inside a character class. Instead of saying, “the string must start with...”, the caret means “match everything except...”

[A-D]

This will match everything except b, c, d, e, or f.

This will match A, B, C, or D.

A character class is a set of rules for matching a single character.

Write a regular expression that matches international phone numbers:

__________________________________________

Fine-tune patterns with character classes

With the help of character classes, we can refine our regular expression for phone numbers so that it won’t match invalid digit combinations. That way, if someone accidentally enters an area code that starts with 0 or 1, we can throw an error message. Here’s what our new-and-improved regex looks like:

If you want to use reserved characters in your regular expression, you need to escape them.

In regular expression syntax, there are a small set of characters that are given special meaning, because they are used to signify things like metacharacters, quantifiers, and character classes. These include the period (.), the question mark (?), the plus sign (+), the opening square bracket ([), opening and closing parentheses, the caret (^), the dollar sign ($), the vertical pipe character (|), the backslash (\), the forward slash (/), and the asterisk (*).

If you want to use these characters in your regular expression to signify their literal meaning instead of the metacharacters or quantifiers they usually represent, you need to “escape” them by preceding them with a backslash.

For example, if you wanted to match parentheses in a phone number, you couldn’t just do this:

Instead, both the opening and closing parentheses need to be preceded by backslashes to indicate that they should be interpreted as actual parentheses:

Risky Jobs needs to put regular expressions to work validating form data!

Check for patterns with preg_match()

We haven’t been developing patterns just for the fun of it. You can use these patterns with the PHP function preg_match(). This function takes a regex pattern, just like those we’ve been building, and a text string. It returns false if there is no match, and true if there is.

Here’s an example of the preg_match() function in action, using a regex that searches a text string for a four-character pattern of alternating uppercase letters and digits:

We can take advantage of the preg_match() function to enable more sophisticated validation functionality in PHP scripts by building an if statement around the return value.

First Name: Jimmy

Last Name: Swift

Email: JS@sim-u-duck.com

Phone: (555) 636 4652

Desired Job: Ninja

Download It!

The complete source code for the Risky Jobs application is available for download from the Head First Labs web site:

www.headfirstlabs.com/books/hfphp

Just because you’re permitting data to be input in all different formats doesn’t necessarily mean you want your data stored in all those formats.

Luckily, there’s another regex function that’ll let us take the valid phone number data submitted by Risky Jobs’s users and make all of it conform to just one consistent pattern, instead of four.

The preg_replace() function goes one step beyond the preg_match() function in performing pattern matching using regular expressions. In addition to determining whether a given pattern matches a given string of text, it allows you to supply a replacement pattern to substitute into the string in place of the matched text. It’s a lot like the str_replace() function we’ve already used, except that it matches using a regular expression instead of a string.

Here’s an example of the preg_replace() function in action:

Standardize the phone number data

Right now, Risky Jobs is using the following regular expression to validate the phone numbers users submit via their registration form:

/^\(?[2-9]\d{2}\)?[-\s]\d{3}-\d{4}$/

This will match phone numbers that fall into these four patterns:

While these formats are easily interpreted by people, they make it difficult for SQL queries to sort results the way we want. Those parentheses will most likely foil our attempts to group phone numbers by area code, for example, which might be important to Risky Jobs if we want to analyze how many of the site’s users came from a specific geographical location.

To make these kinds of queries possible, we need to standardize phone numbers to one format using preg_replace() before we INSERT data into the database. Our best bet is to get rid of all characters except numeric digits. That way, we simply store 10 digits in our table with no other characters. We want our numbers to be stored like this in the table:

This leaves us with four characters to find and replace. We want to find and remove open and closing parentheses, spaces, and dashes. And we want to find these characters no matter where in the string they are, so we don’t need the starting carat (^) or ending dollar sign ($). We know we’re looking for any one of a set, so we can use a character class. The order of the search doesn’t matter. Here’s the regex we can use:

Standardizing your data gives you better SQL query results.

Get rid of the unwanted characters

Now that we have our pattern that finds those unwanted characters, we can apply it to phone numbers to clean them up before storing them in the database. But how? This is where the preg_replace() function really pays off. The twist here is that we don’t want to replace the unwanted characters, we just want them gone. So we simply pass an empty string into preg_replace() as the replacement value. Here’s an example that finds unwanted phone number characters and replaces them with empty strings, effectively getting rid of them:

Sure, but it would end up causing problems later since phone number queries won’t work as expected.

Most users are accustomed to entering phone numbers with some combination of dashes (hyphens), parentheses, and spaces, so attempting to enforce pure numeric phone numbers may not work as expected. It’s much better to try and meet users halfway, giving them reasonably flexible input options, while at the same time making sure the data you store is as consistent as possible.

Besides, we’re only talking about one call to preg_replace() to solve the problem, which just isn’t a big deal. If we were talking about writing some kind of custom function with lots of code, it might be a different story. But improving the usability and data integrity with a single line of code is a no-brainer!

Just like with validating phone numbers earlier, we first need to determine the rules that valid email addresses must follow. Then we can formalize them as a regular expression, and implement them in our PHP script. So let’s first take a look at what exactly makes up an email address:

Brain Power

See if you can come up with a regular expression that is flexible enough to match the email addresses to the right. Write it below:

__________________________________________

Matching email addresses can be tricky

It seems like it should be pretty simple to match email addresses, because at first glance, there don’t appear to be as many restrictions on the characters you can use as there are with phone numbers.

For example, it doesn’t seem like too big of a deal to match the LocalName portion of an email address (everything before the @ sign). Since that’s just made up of alphanumeric characters, we should be able to use the following pattern:

This would allow any alphanumeric character in the local name, but unfortunately, it doesn’t include characters that are also legal in email addresses.

Believe it or not, valid email addresses can contain any of these characters in the LocalName portion, although some of them can’t be used to start an email address:

If we want to allow users to register that have email addresses containing these characters, we really need a regex that looks something more like this:

This won’t match every single valid LocalName, as we’re still skipping some of the really obscure characters, but it’s very practical to work with and should still match the email addresses of most of Risky Jobs users.

That would work for part of the domain, the prefix, but it wouldn’t account for the suffix.

While the domain prefix can contain pretty much any combination of alphanumerics and a few special characters, just like the LocalName, the restrictions on domain suffixes are much more stringent.

Most email addresses end in one of a few common domain suffixes: .com, .edu, .org, .gov, and so on. We’ll need to make sure email addresses end in a valid domain suffix, too.

Validation is often a trade-off between what’s allowed and what is practical to accept.

Domain suffixes are everywhere

In addition to super-common domain suffixes that you see quite frequently, like .com and .org, there are many, many other domain suffixes that are valid for use in email addresses. Other suffixes recognized as valid by the Domain Name System (DNS) that you may have seen before include .biz and .info. In addition, there’s a list of suffixes that correspond to different countries, like .ca for Canada and .tj for Tajikistan.

Here is a list of just a few possible domain suffixes. This is not all of them.

Geek Bits

The Domain Name System is a distributed data service that provides a worldwide directory of domains and their IP addresses. It makes the use of domain names possible. Without DNS, we’d be typing 208.201.239.36 instead of oreilly.com.

We could do that, and it would work.

But there’s an easier way. Instead of keeping track of all the possible domains and having to change our code if a new one is added, we can check the domain portion of the email address using the PHP function checkdnsrr(). This function connects to the Domain Name System, or DNS, and checks the validity of domains.

Use PHP to check the domain

PHP provides the checkdnsrr() function for checking whether a domain is valid. This method is even better than using regular expressions to match the pattern of an email address, because instead of just checking if a string of text could possibly be a valid email domain, it actually checks the DNS records and finds out if the domain is actually registered. So, for example, while a regular expression could tell you that lasdjlkdfsalkjaf.com is valid, checkdnsrr() can go one step further and tell you that, in fact, this domain is not registered, and that we should probably reject sdfhfdskl@lasdjlkdfsalkjaf.com if it’s entered on our registration form.

The syntax for checkdnsrr() is quite simple:

Watch it!

If you’re running PHP on a Windows server, this command won’t work for you.

This is only an issue if your web server is Windows. If you’re using a Windows computer to build your web site, but you’re actually posting it to a UNIX/Linux server, then this is not a problem.

Instead, you can use this code:

Email validation: putting it all together

We now know how to validate both the LocalName portion of an email address using regular expressions, and the domain portion of an email address using checkdnsrr(). Let’s look at the step-by-step of how we can put these two parts together to add full-fledged email address validation to Risky Jobs’s registration form:

Use preg_match() to determine whether the LocalName portion of our email address contains a valid pattern of characters.
We can use the following regex to do so:
If validation of the LocalName fails, echo an error to the user and reload the form.
If validation of the LocalName succeeds, pass the domain portion of the text string users submitted to checkdnsrr().
If checkdnsrr() returns 0, then the domain is not registered, so we echo an error to the user and reload the form.
If checkdnsrr() returns 1, then the domain is registered, and we can be fairly confident that we’ve got a valid email address. We can proceed with validating the rest of the fields in the form.

Your PHP & MySQL Toolbox

Looking for patterns in text can be very handy when it comes to validating data entered by the user into web forms. Here are some of the PHP techniques used to validate data with the help of regular expressions:

Q:	Q: I’m still not sure I see why I can’t just stick with `isset()` and `empty()` for our form validation.
A:	A: These two functions will tell you whether or not someone who submitted a form put data in a text field, but they won’t tell you anything about the actual data they entered. As far as the `empty()` function is concerned, there’s absolutely no difference between a user entering “(707) 827-700” or “4FG8SXY12” into the phone number field in our form. This would be a huge problem for sites like Risky Jobs, which depends on reliable data to get in touch with job candidates.
Q:	Q: If `isset()` and `empty()` won’t work, can’t we simply have someone check the data after it goes into the database?
A:	A: You can, but by then it’s often too late to fix the bad data. If a phone number is missing an area code, we need to ask the user to clarify things by resubmitting the data in that form field. If you wait until later and check the data once it’s already in the database, you may have no way of contacting the user to let them know that some of their data was invalid. And since the user probably won’t realize they made a mistake, they won’t know anything’s wrong either. So, the best plan of action is to validate the users form data immediately when they submit the form. That way you can display an error message and ask them to fill out the form again.
Q:	Q: So then how do you decide whether the data the user entered is valid or not?
A:	A: That depends on what kind of data it is. Different types of information have different rules that they need to follow: what kind of characters they contain, how many characters they have, what order those characters are in. So you need to communicate those rules in your PHP code. Let‘s take a closer look at the rules governing phone numbers...

Q:	Q: Do I have to use that pattern for matching phone numbers?
A:	A: That’s what we’re using for Risky Jobs because it’s pretty standard, but when you’re designing your own forms you should pick one that makes sense to you. Just keep in mind that the more commonly accepted the pattern is, the more likely users will follow it.
Q:	Q: Couldn’t I just tell users to enter a pattern like ########## and then use PHP’s string functions to make sure the data contains 10 numeric characters?
A:	A: You could, and that would be sufficient if that was the pattern your users expected. Unfortunately, it’s not really a very good pattern because most people don’t run their phone number together like that when filling out forms. It’s a bit non-standard, which means users won’t be used to it, and will be less likely to follow it.
Q:	Q: So? It’s my pattern, I can do what I want, right?
A:	A: Sure, but at the same time you want your users to have a good experience. Otherwise they’ll quit visiting your site.
Q:	Q: OK, so couldn’t I use three text fields for the phone number: one for area code, then three digits in the second, and then the last four digits in the third. Then I could use PHP’s string functions.
A:	A: Yes, you could, and some sites do that. But being able to match patterns gives you more flexibility. And matching patterns is useful for lots more things than just making sure your user enters the right pattern for a phone number, as you’ll see later in this chapter.

Q:	Q: So character classes let you specify a range of characters that will match the text string.
A:	A: Yes, a character class lets you specify in your regular expression that any member of a specified set of characters will match the text string, instead of just one. For example, the character class `[aeiou]` will match one instance of any lowercase vowel, and the class `[m-zM-Z]` will match one instance of any letter in the second half of the alphabet, lowercase or uppercase. And the character class `[0-9]` is equivalent to the metacharacter `\d`, which is really just a shorthand way of saying the same thing.
Q:	Q: Don’t I need to put spaces or commas in between the characters or ranges I specify in character classes?
A:	A: No, if you do that, those extra characters will be interpreted as part of the set of characters that should match the text string. For example, the character class [m-z, M-Z] would match not only uppercase and lowercase letters from m to z, but also a comma or space, which is probably not what you want.
Q:	Q: What if I want to match a character in a character class more than once? Like one or more vowels consecutively.
A:	A: Just add a quantifier after the character class. The expression `/[aeiouAEIOU]+/` will match one or more vowels in a row.
Q:	Q: I thought quantifiers only applied to the character that immediately preceded them.
A:	A: Usually that’s the case, but if a quantifier directly follows a character class, it applies to the whole class. And if you want to make a quantifier apply to a whole series of characters that aren’t in a character class, you can surround these characters with parentheses to indicate that they should be grouped together. As an example, the regular expression `/(hello)+/` will match one or more consecutive instances of the word “hello” in a text string.
Q:	Q: What if I wanted to match two different spellings of a word, like “ketchup” or “catsup”?
A:	A: You can use the vertical-pipe character (\|) in your regular expressions to indicate a set of options to choose from. So, the regular expression `/(ketchup\|catsup\|catchup)/` will match any one of the three most common spelling variants of the word.

555-636-4652	555 636-4652
(555)-636-4652	(555) 636-4652

555-636-4652	555 636-4652
(555) 636-4652	(555) 636-4652