Reputation: 263
Validate Input form in PHP
I'm trying to validate my form before inserting into database with this code, but I keeps printin 'You missed a value'. I would like your help to figure out the problem.
Thanks
<?php
$username = mysql_real_escape_string($_POST['username']);
$pword = mysql_real_escape_string($_POST['passwd']);
$fname = mysql_real_escape_string($_POST['firstname']);
$lname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$telephone = mysql_real_escape_string($_POST['telephone']);
$ad1 = mysql_real_escape_string($_POST['ad1']);
$ad2 = mysql_real_escape_string($_POST['street']);
$ad3 = mysql_real_escape_string($_POST['town']);
$pcode = mysql_real_escape_string($_POST['pcode']);
if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")
echo 'You missed a value';
exit();
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("people", $con);
//$description = mysql_real_escape_string($_POST[description]);
$pword = md5($pword);
$sql="INSERT INTO members (username, pword, fname, lname, email, telephone, ad1, ad2, ad3, pcode)
VALUES
('$username','$pword','$fname', '$lname', '$email','$telephone','$ad1','$ad2','$ad3','$pcode')";
if (!mysql_query($sql,$con)){
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con)
?>
Upvotes: 1
Views: 984
Answers (10)
Reputation: 1
I think you should add this line after assigning your variables:
if($_SERVER['REQUEST_METHOD']== 'POST'){if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")
echo 'You missed a value';
exit();
}
//OTHER CODE
Upvotes: 0
Reputation: 29932
if( $username = " ") does not compare but assign, use if( $username == " ") instead – which still checks, whether the input is a single space-char, which maybe mostly isn't. To check if a variable has content or not use if(empty($username)).
Also its maybe better for you to use array_map on the $_POST-array to escape the values:
array_map(function($value) {
return mysql_real_escape_string($value);
}, $_POST);
(If you're prior to PHP 5.3, you need to use a separate function declaration instead of an anonymous callback.)
Upvotes: 2
Reputation: 45589
if( $username == '' || $pword == '' || $fname == '' || $lname == '' || $email == '')
You are assigning an empty space to the variables by doing $var = "", instead of comparing with with the comparison operators $var == '', or stricter $var === ''.
This would be a little bit cleaner code to follow and maintain:
function sqlEscape($string){
return "'".mysql_real_escape_string($string)."'";
}
if( $_POST['username'] == ''
|| $_POST['passwd'] == ''
|| $_POST['firstname'] == ''
|| $_POST['lastname'] == ''
|| $_POST['email'] == '')
{
exit('You missed a value');
}
$con = mysql_connect('localhost', 'root', '');
if (!$con){
die('Could not connect: ' . mysql_error());
}
mysql_select_db('people', $con);
//$description = mysql_real_escape_string($_POST[description]);
$pword = md5($_POST['passwd']);
$sql = sprintf('INSERT INTO members (username, pword, fname, lname, email, telephone, ad1, ad2, ad3, pcode)
VALUES(%s, %s, %s, %s, %s, %s, %s, %s, %s, %s)',
sqlEscape($_POST['username']),
sqlEscape($pword),
sqlEscape($_POST['firstname']),
sqlEscape($_POST['lastname']),
sqlEscape($_POST['email']),
sqlEscape($_POST['telephone']),
sqlEscape($_POST['ad1']),
sqlEscape($_POST['street']),
sqlEscape($_POST['town']),
sqlEscape($_POST['pcode']));
if (!mysql_query($sql,$con)){
die('Error: ' . mysql_error());
}
echo '1 record added';
mysql_close($con)
I added in a function (sqlEscape) to run all the mysql_real_escape_string, just to make the escapes a piece of cake. Notice that I am calling this function after the MySQL connection has been established, because mysql_real_escape_string will NOT work without a connection.
Upvotes: 3
Reputation: 14060
= is assignment operator. It gives a value.
== is comparison operator. It compares the 2 things.
=== is also a comparison operator, but it compares whether the values and the variable types are the same. You need to remember that.
Also, you can also make your code clearer like this (it's just an example, don't copy paste it because it can be improved and it's not exactly safe):
foreach($_POST as $key => $value)
{
$columns[] = $key;
$value = mysql_real_escape_string($value);
$values[] = "'" . $value ."'";
if(empty($value))
{
$errors[] = 'POST with key '. $key .' was not filled in';
}
}
if(!isset($errors))
{
$query = "INSERT INTO (". implode(',', $columns .") VALUES (". implode(',', $values .")";
}
else
{
echo implode('<br />', $errors);
}
While learning how to program, if you find yourself copypasting certain code - you then know it's something you can code more intelligently.
Upvotes: 1
Reputation:
Yeap, the sign "=" is to set a variable, the comparaison sign is "==" or "===" in PHP.
btw, to minimize your code you can use "array_map" to apply "mysql_real_escape_string" function to your POST array :
$post = array_map("mysql_real_escape_string", $_POST);
Upvotes: 1
Reputation: 16835
check your if condition use == instant of =
wrong if( $username = " " || $pword = " " || $fname = " " || $lname = " " || $email = " ")
Upvotes: 3
Reputation: 85
if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")
{
echo 'You missed a value';
exit();
}
Upvotes: 0
Reputation: 3434
take out the spaces in this line and you need double equals
if( $username = " " || $pword = " " || $fname = " " || $lname = " " || $email = " ")
change to
if( $username == "" || $pword == "" || $fname == "" || $lname == "" || $email == "")
Upvotes: 2
Reputation: 190907
You should validate off the raw POST values, not the mysql_real_escape_string ones. Also you are comparing to (space) not empty string and assigning them not comparing them.
Upvotes: 4
Reputation: 12843
Use == instead of = in your if's.
if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")
Upvotes: 2