PHP: Best practice for validating Option Select

I have a html form with an option select for choosing a country name see sample code bellow

I'm wondering how to validate this part of the form in PHP using filter input

filter_input(INPUT_POST, "Country", FILTER_VALIDATE_INT);

Will detect if no country has been selected because the value is 1
how would I validate a proper 3 figure country code

Is regex the best way or test for string length?  


<div >
 <select name="Country" >
  <option selected value=1>Please select</option>
  <option value="BRA">Brazil</option>
  <option value="NZL">New Zealand</option>
  <option value="SWZ">Switzerland</option>
 </select>
</div>

Open in new window

LVL 1
trevor1940Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve BinkCommented:
When sanitizing user input, you should whitelist whenever possible.  In this case, you have a known number of acceptable answers.  Using a regex to detect good data is certainly acceptable.

To make things easier, you could have these options in a table.  For example:
CREATE TABLE `countries` (
	`id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
	`abbr` CHAR(3) NOT NULL,
	`name` VARCHAR(50) NOT NULL,
	PRIMARY KEY (`id`)
);

Open in new window


A simple SELECT gives you the array of possible values and names.  You can use that to build the select element, as well as filter the selection:
// assuming $countries = ['BRA'=>'Brazil','NZL'=>'New Zealand','SWZ'=>'Switzerland']
$is_valid = array_key_exists($user_selection, $countries);

Open in new window

1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Julian HansenCommented:
$test = isset($_POST['Country']) 
   ? preg_match('/^[A-Z]{3}$/', $_POST['Country'], $country) 
   : false;

if (!$test) {
 // bad input
}
else {
  // If you get here you have an input comprising 3 capital letters - does not guarantee they are valid
  // country will now be in $country[0]
}

Open in new window


What you can do (building on Steve's suggestion) is create a country table with a relationship setup to your data table on the country field.

If you try to insert a value into the data table (for country) - that does not exist in the country table the query will fail.
1
Vijaya KumarCommented:
Hope this helps  


  if (is_numeric($POST["Country"])) {
        echo "No country selected";
    } else {
      $country = array("brazil", "new land", "xxxx", "yyy");
      if (in_array($_POST["Country"], $country)) {
           echo "Got it";
        }
       else
      {
         echo "no";
      }
    }
0
trevor1940Author Commented:
Thanx for your suggestions
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTML

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.