LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 09-07-2003, 07:03 AM   #1
linuxfond
Member
 
Registered: Jan 2003
Location: Belgium
Distribution: Mandrake 9.2
Posts: 475

Rep: Reputation: 30
Form validation problem (PHP+MySQL)


Hello,

I try to validate a form, before the data is inserted into the database.

The problem is that once the page is called via http, it inserts a NULL data into the database.

The top of the page contains java validation script as follow:

<script language="JavaScript" type="text/javascript">
<!--
function checkform ( form )
{
if (form.user.value == "") {
alert( "Please enter your username." );
form.user.focus();
return false ;
}
if (form.email.value == "") {
alert( "Please enter your email address." );
form.email.focus();
return false ;
}
if (form.PASSWORD.value == "") {
alert( "Please enter your PASSWORD." );
form.PASSWORD.focus();
return false ;
}
return true ;
}
//-->
</script>

This script works if I try to re-submit an empty form, but it doesn't work when page is loaded into the browser.

The PHP follows just below the java:
<?
print "<form action=$PHP_SELF method='post'onsubmit=\"return checkform(this);\">";
print "Select your username <input type=text name=user value= ><br>";
print "Enter your correct email <input type=text name=email value= ><br>";
print "Choose your password <input type=text name=PASSWORD value= ><br>";
print "<input type=hidden name=userlevel value=1><br>";

//create arrays:

$Array["user"] = trim ($user);
$Array["email"] = trim ($email);
$Array["PASSWORD"] = trim ($PASSWORD);

//connect to the database:
if (!($Link = @ mysql_connect($Host,
$Username,
$adminPassword)))
die("Could not connect");

//execute the query:

$Query = "INSERT into $TableName values ('0','$Array[user]','$Array[email]','$Array[PASSWORD]','1')";

if(mysql_db_query ($DBName, $Query, $Link)){
print ("Your user account was successfully created!<br>\n");
} else{
print("There was an error<br>\n");
}
print "<input type=submit name=submit value=\"Submit!\"></form>";
mysql_close ($Link);
?>

I don't know how to prevent connection to MySQL and insertion of empty data. Can anyone tell where I am wrong? Thanks!

P.S. Another problem here is that the PASSWORD is not encrypted.
 
Old 09-07-2003, 11:03 AM   #2
lackluster
Member
 
Registered: Apr 2002
Location: D.C - USA
Distribution: slackware-current
Posts: 488

Rep: Reputation: 30
I think you need to discover what happens when. Slow down a bit, you're moving too fast for yourself. First answer this: what happens when you type in a URL or click a link? You must first understand the basic principals of the internet. At least understand this:

JAVASCRIPT HAPPENS ON THE CLIENT
PHP HAPPENS ON THE SERVER
 
Old 09-07-2003, 11:18 AM   #3
linuxfond
Member
 
Registered: Jan 2003
Location: Belgium
Distribution: Mandrake 9.2
Posts: 475

Original Poster
Rep: Reputation: 30
I use client side to speed up validation and minimize server load. The problem is that the SQL is executed when the page is loaded into the browser even before a user can see the form.

Should I use server side validation?
 
Old 09-07-2003, 07:28 PM   #4
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
You obviously haven't provided a complete page.
Build your client side page in HTML, and invoke a PHP script from the form, something like this:

<html>

<head>

<title>MyPage</title>

<style>

A:Link {color:000000;text-decoration:none;}

A:Visited {color:000000;text-decoration:none;}

A:Hover {color:F70404;}

</style>

</head>

<BODY>
<form action=myphp.php method='post' onsubmit="return checkform(this)">
<SCRIPT language="JavaScript"><!--
function checkform ( form )
{
if (form.user.value == "") {
alert( "Please enter your username." );
form.user.focus();
return false ;
}
if (form.email.value == "") {
alert( "Please enter your email address." );
form.email.focus();
return false ;
}
if (form.PASSWORD.value == "") {
alert( "Please enter your PASSWORD." );
form.PASSWORD.focus();
return false ;
}
return true ;
}
//-->
</script>

Select your username <input type=text name=user value= ><br>
Enter your correct email <input type=text name=email value= ><br>
Choose your password <input type=text name=PASSWORD value= ><br>
<input type=hidden name=userlevel value=1><br>
</form></body></html>

You probably should put the entry data into a table to make it neat.

Then, construct this php file (a separate file which I have called myphp.php) which is invoked from the submit button on your form.

<?
//create arrays:

$Array["user"] = trim ($user);
$Array["email"] = trim ($email);
$Array["PASSWORD"] = trim ($PASSWORD);

//connect to the database:
if (!($Link = @ mysql_connect($Host,
$Username,
$adminPassword)))
die("Could not connect");

//execute the query:

$Query = "INSERT into $TableName values ('0','$Array[user]','$Array[email]','$Array[PASSWORD]','1')";

if(mysql_db_query ($DBName, $Query, $Link)){
print ("Your user account was successfully created!<br>\n");
} else{
print("There was an error<br>\n");
}
print "<input type=submit name=submit value=\"Submit!\"></form>";
mysql_close ($Link);
?>

You will have to clean up the syntax and define the arrays, but this will do what you want.
 
Old 09-07-2003, 07:30 PM   #5
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
Now that I look that over after posting it, I see that it needs a submit button to make it happen.
 
Old 09-08-2003, 02:15 AM   #6
linuxfond
Member
 
Registered: Jan 2003
Location: Belgium
Distribution: Mandrake 9.2
Posts: 475

Original Poster
Rep: Reputation: 30
Thanks. Indeed, I split the files in two separate files and the problem is solved.
 
Old 09-08-2003, 03:54 AM   #7
Andy@DP
Member
 
Registered: Aug 2003
Location: Aberdeen, UK.
Distribution: Debian, Ubuntu
Posts: 208
Blog Entries: 2

Rep: Reputation: 30
Did anyone else notice the blindingly obvious problem with the original script?
There was no check to see if the form had been resubmitted before doing the database connection. There is no need to seperate the two into seperate files if there is a check, say for the submit button being clicked.
 
Old 09-08-2003, 04:23 AM   #8
linuxfond
Member
 
Registered: Jan 2003
Location: Belgium
Distribution: Mandrake 9.2
Posts: 475

Original Poster
Rep: Reputation: 30
You have the point, Andy, but I don't know know how to make that final check. Do you know the HowTo?
 
Old 09-08-2003, 04:44 AM   #9
Andy@DP
Member
 
Registered: Aug 2003
Location: Aberdeen, UK.
Distribution: Debian, Ubuntu
Posts: 208
Blog Entries: 2

Rep: Reputation: 30
Here is the code from your original post. My alterations are in red so you can see the changes.

<script language="JavaScript" type="text/javascript">
<!--
function checkform ( form )
{
if (form.user.value == "") {
alert( "Please enter your username." );
form.user.focus();
return false ;
}
if (form.email.value == "") {
alert( "Please enter your email address." );
form.email.focus();
return false ;
}
if (form.PASSWORD.value == "") {
alert( "Please enter your PASSWORD." );
form.PASSWORD.focus();
return false ;
}
return true ;
}
//-->
</script>

<?
print "<form action=$PHP_SELF method='post' onsubmit=\"return checkform(this);\">";
print "Select your username <input type=text name=user value= ><br>";
print "Enter your correct email <input type=text name=email value= ><br>";
print "Choose your password <input type=text name=PASSWORD value= ><br>";
print "<input type=submit name=submit_form value=submit><br>";
print "<input type=hidden name=userlevel value=1><br>";
print "</form>";

if (isset ($submit_form))
{

//create arrays:

$Array["user"] = trim ($user);
$Array["email"] = trim ($email);
$Array["PASSWORD"] = trim ($PASSWORD);

//connect to the database:
if (!($Link = @ mysql_connect($Host,
$Username,
$adminPassword)))
die("Could not connect");

//execute the query:

$Query = "INSERT into $TableName values ('0','$Array[user]','$Array[email]','$Array[PASSWORD]','1')";

if(mysql_db_query ($DBName, $Query, $Link)){
print ("Your user account was successfully created!<br>\n");
} else{
print("There was an error<br>\n");
}

mysql_close ($Link);
}
?>

The simple addition of the isset method will check if there is a variable called submit_form (the name of the button) set and if so it assumes the form has been filled in and does the database part.

I mean no offence whan I say this but if you don't know how to do this may I suggest getting a good PHP tutorial book like SAMS PHP in 24hrs, this covers forms and other useful PHP methods. I taught myself the basics using this book.
 
Old 09-08-2003, 07:24 AM   #10
linuxfond
Member
 
Registered: Jan 2003
Location: Belgium
Distribution: Mandrake 9.2
Posts: 475

Original Poster
Rep: Reputation: 30
Andy@DP, thanks a lot for your lesson.
I do have a few good books. The problem is not lack of information, but management of information
Thank you very much!

N.B. Note to the (unexperienced) coders who might copy and reuse this code:
THIS CODE IS NOT SECURE!!! If you put it on the Web, you will have to add a few security bells

Last edited by linuxfond; 09-08-2003 at 07:29 AM.
 
Old 09-08-2003, 08:27 AM   #11
Andy@DP
Member
 
Registered: Aug 2003
Location: Aberdeen, UK.
Distribution: Debian, Ubuntu
Posts: 208
Blog Entries: 2

Rep: Reputation: 30
Another note to the unexperienced...

Testing for the submit button like that is quite sloppy... I would suggest testing for several things and validating data beforehand. This was only a short lesson on self-submitting PHP pages NOT a definative solution. As linuxfond said this is not secure and open to abuse.

Edit: OK I'm going to add code examples to explain. The $submit_form variable is created by the submission of the form. It relates to the submit button.
The script has NO way of knowing if it was POST or GET
Any person can add ?submit_form=foo to the end of the URL and hey presto the isset ($submit_form) now returns true! and you end up with a totally false submission.
You should check first if each entry is filled in again with PHP and that the data came to the script the correct way (using the $HTTP_POST_VARS[] array for example). Also you should check WHERE the request came from to make sure someone has not knocked up a little script of their own. Make sure the referer id the script itself and not a remote script...
There are lots of security articles for PHP. Read them for a better understanding. This is only a TASTER of things that can go wrong

Last edited by Andy@DP; 09-08-2003 at 08:34 AM.
 
Old 09-08-2003, 09:32 AM   #12
linuxfond
Member
 
Registered: Jan 2003
Location: Belgium
Distribution: Mandrake 9.2
Posts: 475

Original Poster
Rep: Reputation: 30
I totally agree that the script is very welcoming for hackers, but, the form does have a method :
method='post'
Is that not enough to tell whether it is GET or POST?
 
Old 09-08-2003, 10:45 AM   #13
Andy@DP
Member
 
Registered: Aug 2003
Location: Aberdeen, UK.
Distribution: Debian, Ubuntu
Posts: 208
Blog Entries: 2

Rep: Reputation: 30
No that is not the correct bit I'm talking about.

the method only tells the browser how to send the information. GET is in the URL and POST in the HTTP headers. Using php variables like $submit_form which are created by GET/POST do not distinguish between the two and thats why I suggested using $HTTP_POST_VARS and $HTTP_GET_VARS. At least that way you are sure which way the data arrived at the script!

Last edited by Andy@DP; 09-08-2003 at 10:47 AM.
 
Old 09-08-2003, 12:11 PM   #14
linuxfond
Member
 
Registered: Jan 2003
Location: Belgium
Distribution: Mandrake 9.2
Posts: 475

Original Poster
Rep: Reputation: 30
Oh, I see. I thought you talked about this kind of string, but I wasn't sure. OK, I am going back to my books Thank you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PHP: html Form Select function problem camlinux Programming 2 05-15-2005 08:23 PM
PHP form help Zeppelin_Fan Programming 5 03-24-2005 04:47 PM
PHP:Unable to post variables from html form to mysql database vikram_cvk Linux - Software 1 09-29-2004 03:01 PM
Problem getting PHP to recognize MySQL, Using PHP 4.0 and MySQL 4.0.20 d2army Programming 4 06-27-2004 08:54 PM
Confused trying to do password validation in PHP Pcghost Programming 4 02-02-2004 12:10 PM


All times are GMT -5. The time now is 06:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration