PHP If statement to test if form fields are empty

Question

I am trying to verify 2 things

1. That the form used to call the script to insert a record into the database was executed by a real user pressing the submit button,opposed to bot or SQL injection threat.

2. To verify that all fields contain data so as to prevent the entry of a row of empty data.

The statement I have now is:

if (!$_POST['submit']) {    
   die('Error: ' . mysqli_error());
   echo "Please complete all form fields!";
   echo "<meta http-equiv='Refresh' content='3; URL=../add.php'>";
}

This if statement is suppose to do both but I am not sure if this is the best way to do it and I do not see that it is checking / preventing against empty fields. The form has a submit button with the name="submit".

Any thoughts or suggestions is appreciated.

Answer 1

This is the full script, sorry I did not post in the original post:

<?php
//Form fields passed to variables
$manu = mysql_real_escape_string($_POST['inputManu']);
$model = mysql_real_escape_string($_POST['inputModel']);
$desc = mysql_real_escape_string($_POST['inputDesc']);

//Connect to database using $conn
include ('connection.php');

$sql = "INSERT INTO gear (`id`,`manu`,`model`,`desc`)
    VALUES (NULL,'$manu','$model','$desc')";

//Check for empty fields
if (!$_POST['submit']) 
{   
   die('Error: ' . mysqli_error());
   echo "Please complete all form fields!";
   echo "<meta http-equiv='Refresh' content='3; URL=../add.php'>";
}
//Insert record into table 
elseif (!mysqli_query($conn,$sql))
{
die('Error: ' . mysqli_error($conn));
}
else 
{
//echo "1 record added";
echo "Success, You added the ".$manu." ".$model."";
echo "<meta http-equiv='Refresh' content='3; URL=../index.php'>";
}           
mysqli_close($conn);
?>

Answer 2

Step 1: Client Side Validation

You will need to do a little more than this to ensure fields are not empty. I would suggest starting with client-side validation using JavaScript. There area number of scripts and tutorials out there for this, I would recommend either of these two:

• https://github.com/posabsolute/jQuery-Validation-Engine
• http://jqueryvalidation.org/

This will help ensure that if a user submits the form that they will be forced to fill in all form fields before the data will be sent to the server.

Step 2: Server Side Validation

If you are trying to accomplish a blanket check of form values within a form I'd do something like this:

 $form_fields = array('email','fname','lname');
 $isValid = true;
 foreach($_POST as $key=>$value){
      if(in_array($key,$form_fields)){
           if(empty($value) { 
                $isValid = false;
           }
      }
 }
 if(!isValid) {
      header("Location: /add.php?error=1");
      die();
 }

With this approach you're defining all of the field names you care about at the top of the script and just running through the $_POST object to see if there is data/value assigned. This does not, of course, take into account any validation on the type of data coming in through and I would recommend considering doing this so that you're not getting bad data. If you need to check for improperly formatted data then you will have to check each form input individually.

Step 3: Prepared SQL Statements

The last recommendation to protect against SQL injections would be to use prepared SQL statements when inserting data into the database. Or to consider an ORM that does this for you. For this I would recommend:

• http://redbeanphp.com/
• http://www.doctrine-project.org/

Optional Step: PHP Nonce

If you're worried that someone will submit SPAM through the page that processes your form, one thing you can do is implement a nonce. This cryptographic key will ensure that a form can only be submitted once, and any other submissions will be rejected. Again, I'm not sure how secure you want to be with your project but this is also something to consider.

This is a pretty good library for nonces in PHP:

• http://fullthrottledevelopment.com/php-nonce-library

Answer 3

One technique in bot detection is to use a honeypot field such as this

<input type="text" name="check" value="" style="display:none;" />

and then to detect a bot

if (!empty($_POST['check'])) { /* bot detected! */ }

The reason this works reasonably well is because bots are dumb. They will try to fill out all of the proper fields that may be relevant to a successful submission so they can avoid problems with required fields. It is important to note that type="text" was used instead of type="hidden" because most bots would know that hidden fields aren't part of required field validation.

Checking against $_POST['submit'] will often not work because many bots would emulate the web-page.

Answer 4

You should do it like this:

if(isset($_POST['submit'])) {
    foreach($_POST as $val) {
        if(trim($val) == '' || empty($val)) {
            //empty field, do something
            ...
            header("Location: /add.php?error=empty_fields");
            die();
        }
    }
    //all seems to be ok
    ...
}

To prevent SQL injection, use PDO and you'll forget about it.

Answer 5

1. You can't be sure it's not a bot. And you can avoid SQL injection with good easy coding practices, but your code fragment is too small to show any of these, if you are using them or not.
2. Add the check client-side too (using Javascript); if you receive empty values, then likely the form was submitted in some other way than a common browser — but there could be other reasons, e.g. Javascript disabled, so you can't be sure.

You can check for the User-Agent too, but remember that they can be faked. And that bot can add a correct Submit field as well!

Answer 6

You have to check every field one by one to be sure that's every fields has been filled. The $_POST['submit'] entry exists if you click on the submit button actually.

if (!$_POST['name'] || empty($_POST['name'])
    || !$_POST['email'] || empty($_POST['email'])
    || ...) {    
    echo "Please complete all form fields!";
    echo "<meta http-equiv='Refresh' content='3; URL=../add.php'>";
}

A lot of methods exists to refactor and improve the writing of this kind of verification. An example, from W3Schools:

<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = "";

if ($_SERVER["REQUEST_METHOD"] == "POST")
{
  // Sanitize every var from SQL injection, XSS and strip spaces...
  $name = test_input($_POST["name"]);
  $email = test_input($_POST["email"]);
  $website = test_input($_POST["website"]);
  $comment = test_input($_POST["comment"]);
  $gender = test_input($_POST["gender"]);

 if(empty($name) || empty($email) || empty($website) || empty($comment) || empty($gender)) {
    echo "Please complete all form fields!";
    echo "<meta http-equiv='Refresh' content='3; URL=../add.php'>";
 }
}


function test_input($data)
{
  $data = trim($data);
  $data = htmlspecialchars(addslashes($data));
  return $data;
}
?>