LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   Form validation problem (PHP+MySQL) (https://www.linuxquestions.org/questions/programming-9/form-validation-problem-php-mysql-90132/)

linuxfond 09-07-2003 07:03 AM
Form validation problem (PHP+MySQL)
 
Hello,

I try to validate a form, before the data is inserted into the database.

The problem is that once the page is called via http, it inserts a NULL data into the database.

The top of the page contains java validation script as follow:

<script language="JavaScript" type="text/javascript">
<!--
function checkform ( form )
{
if (form.user.value == "") {
alert( "Please enter your username." );
form.user.focus();
return false ;
}
if (form.email.value == "") {
alert( "Please enter your email address." );
form.email.focus();
return false ;
}
if (form.PASSWORD.value == "") {
alert( "Please enter your PASSWORD." );
form.PASSWORD.focus();
return false ;
}
return true ;
}
//-->
</script>

This script works if I try to re-submit an empty form, but it doesn't work when page is loaded into the browser.

The PHP follows just below the java:
<?
print "<form action=$PHP_SELF method='post'onsubmit=\"return checkform(this);\">";
print "Select your username <input type=text name=user value= ><br>";
print "Enter your correct email <input type=text name=email value= ><br>";
print "Choose your password <input type=text name=PASSWORD value= ><br>";
print "<input type=hidden name=userlevel value=1><br>";

//create arrays:

$Array["user"] = trim ($user);
$Array["email"] = trim ($email);
$Array["PASSWORD"] = trim ($PASSWORD);

//connect to the database:
if (!($Link = @ mysql_connect($Host,
$Username,
$adminPassword)))
die("Could not connect");

//execute the query:

$Query = "INSERT into $TableName values ('0','$Array[user]','$Array[email]','$Array[PASSWORD]','1')";

if(mysql_db_query ($DBName, $Query, $Link)){
print ("Your user account was successfully created!<br>\n");
} else{
print("There was an error<br>\n");
}
print "<input type=submit name=submit value=\"Submit!\"></form>";
mysql_close ($Link);
?>

I don't know how to prevent connection to MySQL and insertion of empty data. Can anyone tell where I am wrong? Thanks!

P.S. Another problem here is that the PASSWORD is not encrypted.

lackluster 09-07-2003 11:03 AM
I think you need to discover what happens when. Slow down a bit, you're moving too fast for yourself. First answer this: what happens when you type in a URL or click a link? You must first understand the basic principals of the internet. At least understand this:

JAVASCRIPT HAPPENS ON THE CLIENT
PHP HAPPENS ON THE SERVER

linuxfond 09-07-2003 11:18 AM
I use client side to speed up validation and minimize server load. The problem is that the SQL is executed when the page is loaded into the browser even before a user can see the form.

Should I use server side validation?

jiml8 09-07-2003 07:28 PM
You obviously haven't provided a complete page.
Build your client side page in HTML, and invoke a PHP script from the form, something like this:

<html>

<head>

<title>MyPage</title>

<style>

A:Link {color:000000;text-decoration:none;}

A:Visited {color:000000;text-decoration:none;}

A:Hover {color:F70404;}

</style>

</head>

<BODY>
<form action=myphp.php method='post' onsubmit="return checkform(this)">
<SCRIPT language="JavaScript"><!--
function checkform ( form )
{
if (form.user.value == "") {
alert( "Please enter your username." );
form.user.focus();
return false ;
}
if (form.email.value == "") {
alert( "Please enter your email address." );
form.email.focus();
return false ;
}
if (form.PASSWORD.value == "") {
alert( "Please enter your PASSWORD." );
form.PASSWORD.focus();
return false ;
}
return true ;
}
//-->
</script>

Select your username <input type=text name=user value= ><br>
Enter your correct email <input type=text name=email value= ><br>
Choose your password <input type=text name=PASSWORD value= ><br>
<input type=hidden name=userlevel value=1><br>
</form></body></html>

You probably should put the entry data into a table to make it neat.

Then, construct this php file (a separate file which I have called myphp.php) which is invoked from the submit button on your form.

<?
//create arrays:

$Array["user"] = trim ($user);
$Array["email"] = trim ($email);
$Array["PASSWORD"] = trim ($PASSWORD);

//connect to the database:
if (!($Link = @ mysql_connect($Host,
$Username,
$adminPassword)))
die("Could not connect");

//execute the query:

$Query = "INSERT into $TableName values ('0','$Array[user]','$Array[email]','$Array[PASSWORD]','1')";

if(mysql_db_query ($DBName, $Query, $Link)){
print ("Your user account was successfully created!<br>\n");
} else{
print("There was an error<br>\n");
}
print "<input type=submit name=submit value=\"Submit!\"></form>";
mysql_close ($Link);
?>

You will have to clean up the syntax and define the arrays, but this will do what you want.

jiml8 09-07-2003 07:30 PM
Now that I look that over after posting it, I see that it needs a submit button to make it happen.

linuxfond 09-08-2003 02:15 AM
Thanks. Indeed, I split the files in two separate files and the problem is solved.
:D

Andy@DP 09-08-2003 03:54 AM
Did anyone else notice the blindingly obvious problem with the original script?
There was no check to see if the form had been resubmitted before doing the database connection. There is no need to seperate the two into seperate files if there is a check, say for the submit button being clicked.

linuxfond 09-08-2003 04:23 AM
You have the point, Andy, but I don't know know how to make that final check. Do you know the HowTo?

Andy@DP 09-08-2003 04:44 AM
Here is the code from your original post. My alterations are in red so you can see the changes.

<script language="JavaScript" type="text/javascript">
<!--
function checkform ( form )
{
if (form.user.value == "") {
alert( "Please enter your username." );
form.user.focus();
return false ;
}
if (form.email.value == "") {
alert( "Please enter your email address." );
form.email.focus();
return false ;
}
if (form.PASSWORD.value == "") {
alert( "Please enter your PASSWORD." );
form.PASSWORD.focus();
return false ;
}
return true ;
}
//-->
</script>

<?
print "<form action=$PHP_SELF method='post' onsubmit=\"return checkform(this);\">";
print "Select your username <input type=text name=user value= ><br>";
print "Enter your correct email <input type=text name=email value= ><br>";
print "Choose your password <input type=text name=PASSWORD value= ><br>";
print "<input type=submit name=submit_form value=submit><br>";
print "<input type=hidden name=userlevel value=1><br>";
print "</form>";

if (isset ($submit_form))
{
//create arrays:

$Array["user"] = trim ($user);
$Array["email"] = trim ($email);
$Array["PASSWORD"] = trim ($PASSWORD);

//connect to the database:
if (!($Link = @ mysql_connect($Host,
$Username,
$adminPassword)))
die("Could not connect");

//execute the query:

$Query = "INSERT into $TableName values ('0','$Array[user]','$Array[email]','$Array[PASSWORD]','1')";

if(mysql_db_query ($DBName, $Query, $Link)){
print ("Your user account was successfully created!<br>\n");
} else{
print("There was an error<br>\n");
}

mysql_close ($Link);
}
?>

The simple addition of the isset method will check if there is a variable called submit_form (the name of the button) set and if so it assumes the form has been filled in and does the database part.

I mean no offence whan I say this but if you don't know how to do this may I suggest getting a good PHP tutorial book like SAMS PHP in 24hrs, this covers forms and other useful PHP methods. I taught myself the basics using this book.

linuxfond 09-08-2003 07:24 AM
Andy@DP, thanks a lot for your lesson.
I do have a few good books. The problem is not lack of information, but management of information :study:
Thank you very much!

N.B. Note to the (unexperienced) coders who might copy and reuse this code:
THIS CODE IS NOT SECURE!!! If you put it on the Web, you will have to add a few security bells ;)

Andy@DP 09-08-2003 08:27 AM
Another note to the unexperienced...

Testing for the submit button like that is quite sloppy... I would suggest testing for several things and validating data beforehand. This was only a short lesson on self-submitting PHP pages NOT a definative solution. As linuxfond said this is not secure and open to abuse.

Edit: OK I'm going to add code examples to explain. The $submit_form variable is created by the submission of the form. It relates to the submit button.
The script has NO way of knowing if it was POST or GET
Any person can add ?submit_form=foo to the end of the URL and hey presto the isset ($submit_form) now returns true! and you end up with a totally false submission.
You should check first if each entry is filled in again with PHP and that the data came to the script the correct way (using the $HTTP_POST_VARS[] array for example). Also you should check WHERE the request came from to make sure someone has not knocked up a little script of their own. Make sure the referer id the script itself and not a remote script...
There are lots of security articles for PHP. Read them for a better understanding. This is only a TASTER of things that can go wrong

linuxfond 09-08-2003 09:32 AM
I totally agree that the script is very welcoming for hackers, but, the form does have a method :
method='post'
Is that not enough to tell whether it is GET or POST?

Andy@DP 09-08-2003 10:45 AM
No that is not the correct bit I'm talking about.

the method only tells the browser how to send the information. GET is in the URL and POST in the HTTP headers. Using php variables like $submit_form which are created by GET/POST do not distinguish between the two and thats why I suggested using $HTTP_POST_VARS and $HTTP_GET_VARS. At least that way you are sure which way the data arrived at the script!

linuxfond 09-08-2003 12:11 PM
Oh, I see. I thought you talked about this kind of string, but I wasn't sure. OK, I am going back to my books :) Thank you.


All times are GMT -5. The time now is 07:40 PM.