Reputation: 211
validation for form php mysql
I have a form that user can submit their information and comment to the website. However, I am having the problem in validating my forms.For example, I can submit an empty form and add in numbers in my name. By right it should be wrong and echo out the message. However, I can still submit it and my validation code is not working for the form. My code is below:
<?php
error_reporting(~E_NOTICE); // avoid notice
require_once 'dbconfig.php';
if (isset($_POST['submitted'])) {
$firstname = $_POST['firstname'];//firstname
$lastname = md5($_POST['lastname']);//password
$phone = $_POST['phone']; // user name
$enquiry = $_POST['comment']; // user job
// Initialize error array.
$errors = array();
// Check for a proper First name
if (!empty($_POST['firstname'])) {
$firstname = $_POST['firstname'];
$pattern = "/^[a-zA-Z0-9\_]{2,20}/"; // This is a regular expression that checks if the name is valid characters
if (preg_match($pattern, $firstname)) {
$firstname = $_POST['firstname'];
} else {
$errors[] = 'Your Name can only contain _, 1-9, A-Z or a-z 2-20 long.';
}
} else {
$errors[] = 'You forgot to enter your First Name.';
}
// Check for a proper Last name
if (!empty($_POST['lastname'])) {
$lastname = $_POST['lastname'];
$pattern = "/^[a-zA-Z0-9\_]{2,20}/"; // This is a regular expression that checks if the name is valid characters
if (preg_match($pattern, $lastname)) {
$lastname = $_POST['lastname'];
} else {
$errors[] = 'Your Name can only contain _, 1-9, A-Z or a-z 2-20 long.';
}
} else {
$errors[] = 'You forgot to enter your Last Name.';
}
//Check for a valid phone number
if (!empty($_POST['phone'])) {
$phone = $_POST['phone'];
$pattern = "/^[0-9\_]{7,20}/";
if (preg_match($pattern, $phone)) {
$phone = $_POST['phone'];
} else {
$errors[] = 'Your Phone number can only be numbers.';
}
} else {
$errors[] = 'You forgot to enter your Phone number.';
}
if (!empty($_POST["comment"])) {
$comment = $_POST['comment'];
} else {
$errors[] = 'You forgot to enter your enquiry infomation.';
}
// if no error occured, continue ....
if (!isset($errMSG)) {
$stmt = $DB_con->prepare('INSERT INTO user_message(firstname,lastname,phone,enquiry) VALUES(:fstname, :lastname, :phone, :enq)');
$stmt->bindParam(':fstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
$stmt->bindParam(':phone', $phone);
$stmt->bindParam(':enq', $enquiry);
if ($stmt->execute()) {
$successMSG = "enquiry succesfully submitted ...";
header("refresh:5;contactus.php"); // redirects image view page after 5 seconds.
} else {
$errMSG = "error while inserting....";
}
}
}
/////////////////////////////////////////////////////////////////////////////////////////
?>
<!DOCTYPE html>
<html>
<head>
<title>Boostrap 3 example</title>
<meta charset="UTF-8">
<meta name="viewpoint" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="bootstrap3/css/bootstrap.min.css">
<link href="../bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css"/>
<link href="css/maincss.css" rel="stylesheet" type="text/css"/>
</head>
<body>
<div class="container">
<?php
if (isset($errMSG)) {
?>
<div class="alert alert-danger">
<span class="glyphicon glyphicon-info-sign"></span> <strong><?php echo $errMSG; ?></strong>
</div>
<?php
} else if (isset($successMSG)) {
?>
<div class="alert alert-success">
<strong><span class="glyphicon glyphicon-info-sign"></span> <?php echo $successMSG; ?></strong>
</div>
<?php
}
?>
<h2>Contact us</h2>
<br/>
<p>Fill out the form below.</p>
<p>* required field.</p>
<form method="post" enctype="multipart/form-data" class="form-horizontal">
<table class="table table-bordered table-responsive">
<tr>
<td><label >First Name*:</label></td>
<td><input name="firstname" type="text" value="" /></td>
</tr>
<tr>
<td><label >Last Name: </label></td>
<td><input name="lastname" type="text" value="" /></td>
</tr>
<tr>
<td><label >Phone Number: </label></td>
<td><input name="phone" type="text" value="" /></td>
</tr>
<tr>
<td><label >Enquiry: </label></td>
<td><textarea name="comment" rows="5" cols="40"></textarea></td>
</tr>
<tr>
<td colspan="2">
<input name="" type="reset" value="Reset Form" />
<button type="submit" name="submitted" class="btn btn-default">Create</button><br/>
</td>
</tr>
</table>
</form>
</div>
<script src="js/jquery-1.12.3.js"></script>
<script src="bootstrap3/js/bootstrap.js"></script>
</body>
</html>
This is my database design:
Upvotes: 0
Views: 1204
Answers (1)
Reputation: 13645
Issue 1
You populate an array called $errors with the error-messages, but you then check $errMSG. That variable will never be set. Change to:
if (!$errors) {
// your database code
That should stop it from inserting anything, if any errors occurse.
Issue 2
Your regex allows for any alpha character and/or numeric values and/or underscores as long as it is between 2 and 20 characters long, which means that: aaaaaaaaaaaa, 1111111, _______ all are considered valid names.
Validating names are tricky, since there are people with characters outside of a-z (foreign names) and double names with spaces, dashes, apostrophes etc. I recommend to simply check the length of the name, like:
if (strlen(trim($firstname)) >= 2 || strlen(trim($firstname)) <= 20) {
// .... ok
} else {
// .... error
}
Note: I wouldn't have 20 as the maximum length. Your DB-columns are 100 in length so.. allow for that, at least. Don't assume that everyone has usual names.
Issue 3
In the beginning, you populate $enquiry = $_POST['comment']. Later, you do: $comment = $_POST['comment'] and then use $enquiry in the database insert.
There are likely more things you could fix, but these are the once that stands out and are the root of the issues in your question.
Upvotes: 1
Related Questions
- Form and SQL Validation using PHP
- php mysql forms validation
- PHP/MYSQL validate
- PHP form and DB query input validation
- How do I validate this php form?
- Proper form validation (PHP/MySql)
- Validating my PHP form and submitting to database
- PHP SQL Form validation
- Website Form Validation
- PHP form validation submit problem?