Some of the validation strategies discussed in this section use regular expressions, which are powerful text-matching patterns, written in a language all their own. If you're not familiar with regular expressions, Appendix B provides a quick introduction.
Data validation is one of the most important parts of a web application. Weird, wrong, and damaging data shows up where you least expect it. Users are careless, users are malicious, and users are fabulously more creative (often accidentally) than you may ever imagine when you are designing your application. Without a Clockwork Orange-style forced viewing of a filmstrip on the dangers of unvalidated data, I can't over-emphasize how crucial it is that you stringently validate any piece of data coming into your application from an external source. Some of these external sources are obvious: most of the input to your application is probably coming from a web form. But there are lots of other ways data can flow into your programs as well: databases that you share with other people or applications, web services and remote servers, even URLs and their parameters.
As mentioned earlier, Example 6-8 doesn't
indicate what's wrong with the form if the check in
validate_form( ) fails. Example 6-9 alters
validate_form( ) and
show_form( ) to
manipulate and print an array of possible error messages.
Example 6-9. Displaying error messages with the form
// Logic to do the right thing based on // the hidden _submit_check parameter ...