开发者

Validate Input form in PHP

开发者 https://www.devze.com 2023-03-29 12:46 出处:网络
I\'m trying to validate my form before inserting into database with this code, but I keeps printin \'You missed a value\'. I would like your help to figure out the problem.

I'm trying to validate my form before inserting into database with this code, but I keeps printin 'You missed a value'. I would like your help to figure out the problem.

Thanks

<?php
 $username   = mysql_real_escape_string($_POST['username']);
 $pword      = mysql_real_escape_string($_POST['passwd']);
 $fname      = mysql_real_escape_string($_POST['firstname']);
 $lname      = mysql_real_escape_string($_POST['lastname']);
 $email      = mysql_real_escape_string($_POST['email']);
 $telephone  = mysql_real_escape_string($_POST['telephone']);
 $ad1        = mysql_real_escape_st开发者_开发技巧ring($_POST['ad1']);
 $ad2        = mysql_real_escape_string($_POST['street']);
 $ad3        = mysql_real_escape_string($_POST['town']);
 $pcode      = mysql_real_escape_string($_POST['pcode']);


 if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")

    echo 'You missed a value';  
    exit();

    $con = mysql_connect("localhost","root","");
    if (!$con)
    {
      die('Could not connect: ' . mysql_error());
    }

  mysql_select_db("people", $con);

//$description = mysql_real_escape_string($_POST[description]);
    $pword = md5($pword);
    $sql="INSERT INTO members (username, pword, fname, lname, email, telephone, ad1, ad2, ad3, pcode)
VALUES
('$username','$pword','$fname', '$lname', '$email','$telephone','$ad1','$ad2','$ad3','$pcode')";


  if (!mysql_query($sql,$con)){
   die('Error: ' . mysql_error());
   }
   echo "1 record added";

 mysql_close($con)
?> 


You should validate off the raw POST values, not the mysql_real_escape_string ones. Also you are comparing to (space) not empty string and assigning them not comparing them.


if( $username == '' || $pword == '' || $fname == '' || $lname == '' || $email == '')

You are assigning an empty space to the variables by doing $var = "", instead of comparing with with the comparison operators $var == '', or stricter $var === ''.


This would be a little bit cleaner code to follow and maintain:

function sqlEscape($string){
    return "'".mysql_real_escape_string($string)."'";
}

if(     $_POST['username']  == '' 
    ||  $_POST['passwd']    == ''
    ||  $_POST['firstname'] == '' 
    ||  $_POST['lastname']  == ''
    ||  $_POST['email']     == '')
{ 
    exit('You missed a value');
}

$con = mysql_connect('localhost', 'root', '');
if (!$con){
  die('Could not connect: ' . mysql_error());
}

mysql_select_db('people', $con);

//$description = mysql_real_escape_string($_POST[description]);
$pword = md5($_POST['passwd']);
$sql = sprintf('INSERT INTO members (username, pword, fname, lname, email, telephone, ad1, ad2, ad3, pcode) 
                VALUES(%s, %s, %s, %s, %s, %s, %s, %s, %s, %s)', 
                sqlEscape($_POST['username']),
                sqlEscape($pword),
                sqlEscape($_POST['firstname']),
                sqlEscape($_POST['lastname']),
                sqlEscape($_POST['email']),
                sqlEscape($_POST['telephone']),
                sqlEscape($_POST['ad1']),
                sqlEscape($_POST['street']),
                sqlEscape($_POST['town']),
                sqlEscape($_POST['pcode']));

if (!mysql_query($sql,$con)){
    die('Error: ' . mysql_error());
}

echo '1 record added';

mysql_close($con)

I added in a function (sqlEscape) to run all the mysql_real_escape_string, just to make the escapes a piece of cake. Notice that I am calling this function after the MySQL connection has been established, because mysql_real_escape_string will NOT work without a connection.


check your if condition use == instant of =

wrong if( $username = " " || $pword = " " || $fname = " " || $lname = " " || $email = " ")


Use == instead of = in your if's.

if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")


take out the spaces in this line and you need double equals

if( $username = " " || $pword = " " || $fname = " " || $lname = " " || $email = " ") 

change to

if( $username == "" || $pword == "" || $fname == "" || $lname == "" || $email == "") 


if( $username = " ") does not compare but assign, use if( $username == " ") instead – which still checks, whether the input is a single space-char, which maybe mostly isn't. To check if a variable has content or not use if(empty($username)).

Also its maybe better for you to use array_map on the $_POST-array to escape the values:

array_map(function($value) {
    return mysql_real_escape_string($value);
}, $_POST);

(If you're prior to PHP 5.3, you need to use a separate function declaration instead of an anonymous callback.)


Yeap, the sign "=" is to set a variable, the comparaison sign is "==" or "===" in PHP.

btw, to minimize your code you can use "array_map" to apply "mysql_real_escape_string" function to your POST array :

$post = array_map("mysql_real_escape_string", $_POST);


= is assignment operator. It gives a value. == is comparison operator. It compares the 2 things. === is also a comparison operator, but it compares whether the values and the variable types are the same. You need to remember that.

Also, you can also make your code clearer like this (it's just an example, don't copy paste it because it can be improved and it's not exactly safe):

foreach($_POST as $key => $value)
{
    $columns[] = $key;
    $value = mysql_real_escape_string($value);
    $values[] = "'" . $value ."'";

    if(empty($value))
    {
        $errors[] = 'POST with key '. $key .' was not filled in';
    }
}

if(!isset($errors))
{
    $query = "INSERT INTO (". implode(',', $columns .") VALUES (". implode(',', $values .")";

}
else
{
    echo implode('<br />', $errors);
}

While learning how to program, if you find yourself copypasting certain code - you then know it's something you can code more intelligently.


if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")
{
 echo 'You missed a value';  
 exit();
}


I think you should add this line after assigning your variables:

if($_SERVER['REQUEST_METHOD']== 'POST'){if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")

echo 'You missed a value';  
exit();
}

//OTHER CODE

0

精彩评论

暂无评论...
验证码 换一张
取 消