Docs
← Back to site

Server-side Validation

3 min readUpdated April 29, 2026

Smart Phone Field validates phone numbers twice — once in the browser as the customer types, and again on the server when the checkout form is submitted. This article explains the server-side validation layer, why it exists, and how it protects your order data.

Why Server-side Validation Is Necessary#

Client-side validation, which runs in the browser, is a convenience for the customer. It gives instant feedback and prevents most mistakes before the form is submitted. But it can be bypassed.

A technically capable user can disable JavaScript, modify the form submission, or submit a request directly to your server without ever touching the form in a browser. In those cases the client-side checks never run.

Server-side validation closes that gap. It runs on your server regardless of how the form was submitted and cannot be bypassed by anything the customer does in their browser.

How It Works#

When a customer submits the checkout form, WooCommerce processes the order data on the server before creating the order. Smart Phone Field hooks into this process and validates the phone number again at that point.

The server-side check confirms:

  • A phone number has been provided if the field is required
  • The number matches a valid international format including a recognisable country dial code
  • The number is not malformed or obviously invalid

If the phone number passes validation, the order proceeds normally. If it fails, WooCommerce stops the order creation process and returns an error to the customer.

What the Customer Sees#

If server-side validation rejects a phone number, the customer sees a clear error message at the top of the checkout page. The message tells them their phone number format is incorrect and asks them to check it and try again.

The customer is not charged. No order is created. They remain on the checkout page with all their other information intact so they can correct just the phone number and resubmit.

When Server-side Validation Triggers#

Server-side validation runs on every checkout submission where a phone number has been entered. It does not matter whether the submission came from a normal browser session, a headless request, or any other source.

For optional phone fields, server-side validation only runs if a value was provided. If the field is left blank and it is set to optional in WooCommerce, the server-side check is skipped for that submission.

The Security Benefit#

Beyond data quality, server-side validation provides a security benefit. It prevents malformed or malicious input from being stored in your database via the phone field. Any value that does not match a valid international phone number format is rejected before it reaches your order data.

How It Works Alongside Real-time Validation#

The two layers of validation serve different purposes and work together.

Real-time validation is for the customer — it gives immediate feedback in the browser and helps them enter a correctly formatted number before they try to submit the form. Most customers will never encounter a server-side error because the real-time validation has already guided them to a valid number.

Server-side validation is for your data — it is the safety net that catches anything that slips through, regardless of how or where the form was submitted.

In normal usage, a customer entering a valid phone number will pass both layers without noticing them. The server-side check is invisible when everything is correct. It only surfaces when something is wrong.

Compatibility with Other Plugins#

Server-side validation hooks into the standard WooCommerce checkout validation flow using the woocommerce_checkout_process action. This is the same hook used by WooCommerce itself and most checkout plugins, which means it is broadly compatible with other plugins that modify the checkout process.