setting up error messages

[squigs]

Hello,

I've been working on a search script that call on a function to retrieve info from my database. What I'm trying to do next is to echo various errors e.g. No search results to display. At the moment I have three messages I would like to display based on the user input but it is not working when I try to set up a second functions within the same tags.

 

I have got it working by using header:location but it would be much faster and easier to just echo the messages on one page I will post the code below.

<?php require_once('Connections/price_db.php'); ?>
<?php  
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
    }
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
//this is the function I would like to add  
function showErrors($error1 = "", $error2 = "", $error3 = ""){
$var = $_GET['search'] ;
$error = false;
$error1 = "";
$error2 = "";
$error3 = "";
if (strlen ($var) < 3){
     $error = true;
 $error1 = "You Must Enter At Least Three Characters To Search";
}
  if (strlen ($var) == 0)
  {
     $error = true;
 $error2 = "Please Enter a Search";
  }  
  if ($totalRows_Recordset1 == 0){
      $error = true;
  $error3 = "Your Search Returned No Results";
  }
  if ($error){ 
     showErrors($error1,$error2,error3);
}
//above is where I have come into troubles
   switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}}
$colname_Recordset1 = "-1";
if (isset($_GET ['search'])) {
  $colname_Recordset1 = $_GET['search'];
}
mysql_select_db($database_price_db, $price_db);
$query_Recordset1 = sprintf("SELECT * FROM price_db WHERE tb_name LIKE %s OR tb_desc LIKE %s", GetSQLValueString("%" . $colname_Recordset1 . "%", "text"),GetSQLValueString("%" . $colname_Recordset1 . "%", "text"));
$Recordset1 = mysql_query($query_Recordset1, $price_db) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);

?>

 

and this is the html for it

 

<div class="bold_14">
<?php echo $error1 ?>
    <?php echo $error2 ?>
    <?php echo $error3 ?>
  </div>

 

[Minimeallolla]

just simply do your if statement and if it is not = true then do or die eg.

//This makes sure they did not leave any fields blank
if (!$_POST['username'] | !$_POST['email'] | !$_POST['pass'] | !$_POST['pass2'] ) {
		die('You did not complete all of the required fields! <a href="/register.php">Please try again.</a>');
	}

[Minimeallolla]

let me know if you still have any problems or dont understand it.

[squigs]

I don't know how to implement that properly with this script. The main function of retrieving info from my DB comes before the head of my page, the area I want an error message to show is written in the html content so I would have to kill the process before the results can be displayed and post my message down in my div tags.

 

Any suggestions on how to accomplish this?

[Minimeallolla]

you shouldn't call on functions to echo an error message. use "or die (enter your error message here);"

just associate it with an "if" statement.

if you do that then you wont have to worry about the location of the error etc. ill take a look at your code again and see what i can do.

[Minimeallolla]

lol i dont understand your code =[ i use a different style.

what is it that you are trying to do overall? whats your whole code meant to do?

[squigs]

It is a database search displaying results on my page.

 

Your way of killing the retrieval of info works but I need to figure out how to display my message in my main page rather then on a blank page.

 

is there any way of echoing the die message to a specific location on the page?

 

I am going to continue to play around.

[Minimeallolla]

well i kind of had the idea to make it look like the page lol

	//gives error if the password is wrong
         if ($_POST['pass'] != $info['password'])
            die('
            <body background="homebackground.jpg"><center><p><br><p><b>
            Invalid password, <a href="login.php"><b>click here to try again.</b></b></a>
            ');

my error codes are under this

if (isset($_POST['submit']))
{ // if form has been submitted

so the html remains. its kind of hard to explain lol >.<

[Minimeallolla]

i hope i helped abit, but im afraid i have to go. good luck with your code

[Pikachu2000]

Using die() to alert a user to errors is a piss-poor way of handling it. You should present the form again with all of the errors listed, to allow the user to make corrections and re-submit the form.

 

Here's an example using an array to store errors, with a form that has "sticky" fields. Look it over, read the comments in the code, and see if it makes sense to you.

<?php
if( $_POST['submitted'] == 'yes' ) { //check for hidden field value to indicate form has been submitted
   $errors = array(); // initialize an array to hold validation errors
   array_map('trim', $_POST); // trim all $_POST array values

   if( !empty($_POST['name']) ) { // validate the name field
      if( !ctype_alpha($_POST['name']) ) {
         $errors[] = 'Name must be alphabetic characters only.'; // if name has non alpha chars, store error
      }
      if( strlen($_POST['name']) < 3 || strlen($_POST['name'] > 20) ) {
         $errors[] = 'Name must be from 3 to 20 characters.'; // if name has too many/few chars, store error
      }
   } else {
      $errors[] = 'Name is a required field.'; // if name is empty, store error
   }

   if( !empty($_POST['number']) ) { // same validations as in name, above.
      if( !ctype_digit($_POST['number']) ) {
         $errors[] = 'Number must be numeric.';
      }
      if( strlen($_POST['number']) < 5 || strlen($_POST['number'] > 20) ) {
         $errors[] = 'Number must be from 5 to 10 digits.';
      }
   } else {
      $errors[] = 'Number is a required field.';
   }

   if( !empty($errors) ) {  // if the $errors array is not empty, display the errors to allow the user to correct them and resubmit the form
      echo "<font color=\"red\">The following errors were detected";
      foreach( $errors as $value ) {
         echo "<br>$value";
      }
      echo '</font>';
   }
}
?>
<form method="post">
Name (3-20 letters): <input type="text" name="name" value="<?php echo isset($_POST['name']) ? $_POST['name'] : ''; ?>"><br>
Number (5-10 numbers): <input type="text" name="number" value="<?php echo isset($_POST['number']) ? $_POST['number'] : ''; ?>"><br>
<input type="hidden" name="submitted" value="yes">
<input type="submit" name="submit" value="Submit">
</form>

[squigs]

Thank you Pikachu2000 I'll play around with this and try to get it working with my script. I appreciate the example you've given me here...

[harristweed]

Just for interest, why:

<?php echo isset($_POST['name']) ? $_POST['name'] : ''; ?>

Why not just:

<?php echo $_POST['name']; ?>

If $_POST['name'] is not set, nothing will echo?

[squigs]

I can't seem to avoid an  unexpected t_variable on the first line of this suggested code..

[Pikachu2000]

Just for interest, why:

<?php echo isset($_POST['name']) ? $_POST['name'] : ''; ?>

Why not just:

<?php echo $_POST['name']; ?>

If $_POST['name'] is not set, nothing will echo?

 

If a variable isn't set, and you attempt to use it, a warning is generated, so it's best to check if it's set first.

[Pikachu2000]

I can't seem to avoid an  unexpected t_variable on the first line of this suggested code..

 

As it's written, there are no parse errors. Did you insert it into some other code?

[squigs]

yes i did, I'm trying to get it to cooperate with some existing code that uses mysql, I will post it below maybe you can spot something obvious.

<?php
if( $_POST['submitted'] == 'yes' ) { //check for hidden field value to indicate form has been submitted
$errors = array(); // initialize an array to hold validation errors
array_map('trim', $_POST); // trim all $_POST array values

if( !empty($_POST['username']) ) { // validate the name field
//This is one error message I would like to display
if( strlen($_POST['name']) < 3 || strlen($_POST['name'] > 20) ) {
$errors[] = 'User name must be between 3 tand 20 characters.'; // if name has too many/few chars, store error
}
 else {
$errors[] = 'A user name is a required.'; // if name is empty, store error
}
}

if (!get_magic_quotes_gpc()) {
$_POST['username'] = addslashes($_POST['username']);
}
$usercheck = $_POST['username'];
$check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);

//if the name already exists it gives an error here
if ($check2 != 0) {
$errors[] = 'Sorry, the username '.$_POST['username'].' is already in use.';
}
// this makes sure both passwords entered match and should display an error if false
if ($_POST['pass'] != $_POST['pass2']) {
$errors[] = 'Your passwords did not match. ';
}

if( !empty($errors) ) { // if the $errors array is not empty, display the errors to allow the user to correct them and resubmit the form
echo "<font color=\"red\">The following errors were detected";
foreach( $errors as $value ) {
echo "<br>$value";
}
echo '</font>';
}
$_POST['pass'] = md5($_POST['pass']);
if (!get_magic_quotes_gpc()) {
$_POST['pass'] = addslashes($_POST['pass']);
$_POST['username'] = addslashes($_POST['username']);
}

$insert = "INSERT INTO users (username, password)
VALUES ('".$_POST['username']."', '".$_POST['pass']."')";
$add_member = mysql_query($insert);
?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> 
<table border="0" align="center"> 
<tr><td>Username:</td><td> <input name="username" type="text" size="23" maxlength="40" value"<?php echo isset($_POST['username']) ? $_POST['username'] : ''; ?>"> </td></tr> 
<tr><td>Password:</td><td> <input name="pass" type="password" size="24" maxlength="12" value="<?php echo isset($_POST['password']) ? $_POST['password'] : ''; ?>"> </td></tr> 
<tr><td>Confirm Password:</td><td> <input name="pass2" type="password" size="24" maxlength="12"> </td></tr> 
<tr><th colspan=2 style="text-align:right;"><input type="hidden" name="submitted" value="yes"/>
<input type="submit" name="submit" value="Register" style="margin-top:10px;"></th></tr> 
</table> </form> 
<?php } ?> 

[Pikachu2000]

The check you run for magic_quotes_gpc() is incorrect. If magic quotes is not on, you should apply mysql_real_escape_string(), not addslashes(), if magic quotes is on, you should apply mysql_real_escape_string(stripslashes()).

 

There's no need to escape a value that will be hashed with either addslashes or mysql_real_escape_string.

 

In the form, it's not a good idea to use $_SERVER['PHP_SELF'] as a form action, as it presents an XSS vulnerability. you should either make it action="" or specify the name of the script explicitly.

 

Other than that, when I post those two blocks of code into a file, it doesn't return any errors, other than one undefined index warning. That can be fixed by changing the first line of code to:

if( isset($_POST['submitted']) && $_POST['submitted'] == 'yes' ) { //check for hidden field value to indicate form has been submitted

 

Are you trying to split it off into two separate files, by chance?

[squigs]

Thanks for the reply pikachu,

I'm not entirely sure how to implement your last suggestion though. I've changes my code up a bit and am now getting the same error but on the following line of code $errors= array().

 

I am not trying to split it into 2 files but rather just save username and password into my db.

 

I just checked and magic quotes are turned on on my server

[Pikachu2000]

OK. Can you go ahead and post the script in it's entirety? I'll have another look at it.

[squigs]

<?php
//I believe the lines below just mean to verify that the user name isn't already in use with or without slashes.
if (!get_magic_quotes_gpc()) {
$_POST['username'] = addslashes($_POST['username']);
}
//The next lines are to encrypt password into database
$_POST['pass'] = md5($_POST['pass']);
if (!get_magic_quotes_gpc()) {
$_POST['pass'] = addslashes($_POST['pass']);
$_POST['username'] = addslashes($_POST['username']);
}

$insert = "INSERT INTO users (username, password)
VALUES ('".$_POST['username']."', '".$_POST['pass']."')";
$add_member = mysql_query($insert);
?>

I changed the ['php_self'] is that what you meant to do?

<html>
<form action="<?php echo "filename.php"; ?>" method="post"> 
<table border="0" align="center"> 
<tr><td>Username:</td><td> <input name="username" type="text" size="23" maxlength="40" value"<?php echo isset($_POST['username']) ? $_POST['username'] : ''; ?>"> </td></tr> 
<tr><td>Password:</td><td> <input name="pass" type="password" size="24" maxlength="12" value="<?php echo isset($_POST['password']) ? $_POST['password'] : ''; ?>"> </td></tr> 
<tr><td>Confirm Password:</td><td> <input name="pass2" type="password" size="24" maxlength="12"> </td></tr> 
<tr><th colspan=2 style="text-align:right;"><input type="hidden" name="submitted" value="yes"/>
<input type="submit" name="submit" value="Register" style="margin-top:10px;"></th></tr> 
</table> </form> </html>
<?php } ?> 

[squigs]

<?php
if( isset($_POST['submitted']) && $_POST['submitted'] == 'yes' ) { //check for hidden field value to indicate form has been submitted
$errors = array(); // initialize an array to hold validation errors
array_map('trim', $_POST); // trim all $_POST array values

if( !empty($_POST['username']) ) { // validate the name field
//This is one error message I would like to display
if( strlen($_POST['name']) < 3 || strlen($_POST['name'] > 20) ) {
$errors[] = 'User name must be between 3 tand 20 characters.'; // if name has too many/few chars, store error
}
 else {
$errors[] = 'A user name is a required.'; // if name is empty, store error
}
}

if (!get_magic_quotes_gpc()) {
$_POST['username'] = ($_POST['username']);
}
$usercheck = $_POST['username'];
$check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);

//if the name already exists it gives an error here
if ($check2 != 0) {
$errors[] = 'Sorry, the username '.$_POST['username'].' is already in use.';
}
// this makes sure both passwords entered match and should display an error if false
if ($_POST['pass'] != $_POST['pass2']) {
$errors[] = 'Your passwords did not match. ';
}

if( !empty($errors) ) { // if the $errors array is not empty, display the errors to allow the user to correct them and resubmit the form
echo "<font color=\"red\">The following errors were detected";
foreach( $errors as $value ) {
echo "<br>$value";
}
echo '</font>';
}
$_POST['pass'] = md5($_POST['pass']);
if (!get_magic_quotes_gpc()) {
$_POST['pass'] = mysql_real_escape_string($_POST['pass']);
$_POST['username'] = mysql_real_escape_string($_POST['username']);
}

$insert = "INSERT INTO users (username, password)
VALUES ('".$_POST['username']."', '".$_POST['pass']."')";
$add_member = mysql_query($insert);
?>

 

  <?php }  else {	 ?> 
<body>
<div id="container">
<div id="header"><?php include ("login_header.php") ?></div>
<div id="photoNav"><?php include ("mainNav.php") ?></div>
<div id="tableContent">
<div class="bold_16" style="margin-top:40px">Enter Your Registration Information Below</div>
<div class="padding_top"><div style="padding-top:10px; text-align:center;">

</div>
<form action="<?php echo "admin_registration.php" ?>" method="post"> 
<table border="0" align="center"> 
<tr><td>Username:</td><td> <input name="username" type="text" size="23" maxlength="40" value"<?php echo isset($_POST['username']) ? $_POST['username'] : ''; ?>"> </td></tr> 
<tr><td>Password:</td><td> <input name="pass" type="password" size="24" maxlength="12" value="<?php echo isset($_POST['password']) ? $_POST['password'] : ''; ?>"> </td></tr> 
<tr><td>Confirm Password:</td><td> <input name="pass2" type="password" size="24" maxlength="12"> </td></tr> 
<tr><th colspan=2 style="text-align:right;"><input type="hidden" name="submitted" value="yes"/>
<input type="submit" name="submit" value="Register" style="margin-top:10px;"></th></tr> 
</table> </form> 
<?php } ?> 

[Pikachu2000]

I'm assuming that this code all goes into one file, is that correct? If so, you can leave the form's action attribute as action="", otherwise, just put the name of the file it submits to between the quotes.

 

<?php
//I believe the lines below just mean to verify that the user name isn't already in use with or without slashes.
if (!get_magic_quotes_gpc()) {
$_POST['username'] = mysql_real_escape_string($_POST['username']);
} else {
$_POST['username'] = mysql_real_escape_string(stripslashes($_POST['username']));
}
//The next lines are to encrypt password into database
$_POST['pass'] = md5($_POST['pass']);

$insert = "INSERT INTO users (username, password)
VALUES ('".$_POST['username']."', '".$_POST['pass']."')";
$add_member = mysql_query($insert);

?>
<html>
<form action="" method="post">
<table border="0" align="center">
<tr><td>Username:</td><td> <input name="username" type="text" size="23" maxlength="40" value"<?php echo isset($_POST['username']) ? $_POST['username'] : ''; ?>"> </td></tr>
<tr><td>Password:</td><td> <input name="pass" type="password" size="24" maxlength="12" value="<?php echo isset($_POST['password']) ? $_POST['password'] : ''; ?>"> </td></tr>
<tr><td>Confirm Password:</td><td> <input name="pass2" type="password" size="24" maxlength="12"> </td></tr>
<tr><th colspan=2 style="text-align:right;"><input type="hidden" name="submitted" value="yes"/>
<input type="submit" name="submit" value="Register" style="margin-top:10px;"></th></tr>
</table> </form> </html>

[squigs]

yes that's correct. some of the things i was working on are sortof taken apart because I copied and pasted while I was working on it and trying to edit it in these text areas afterwards is not fun. So I will change the action as you mentioned and hopefully we can also get the rest of it working.

[squigs]

<?php
if( isset($_POST['submitted']) && $_POST['submitted'] == 'yes' ){ 
//check for hidden field value to indicate form has been submitted

//***still getting an unexpected t_variable on the following line***

$errors = array(); // initialize an array to hold validation errors
array_map('trim', $_POST); // trim all $_POST array values
if( !empty($_POST['username']) ) { // validate the name field
//This is one error message I would like to display

if( strlen($_POST['name']) < 3 || strlen($_POST['name'] > 20) ) {
$errors[] = 'User name must be between 3 tand 20 characters.'; // if name has too many/few chars, store error
}
 else {
$errors[] = 'A user name is a required.'; // if name is empty, store error
}
}
if (!get_magic_quotes_gpc()) {	$_POST['username'] = mysql_real_escape_string($_POST['username']);}
else {	$_POST['username'] = mysql_real_escape_string(stripslashes($_POST['username']));}
}
$usercheck = $_POST['username'];
$check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);
//if the name already exists it gives an error here
if ($check2 != 0) {
$errors[] = 'Sorry, the username '.$_POST['username'].' is already in use.';
}
// this makes sure both passwords entered match and should display an error if false
if ($_POST['pass'] != $_POST['pass2']) {
$errors[] = 'Your passwords did not match. ';
}
if( !empty($errors) ) { // if the $errors array is not empty, display the errors to allow the user to correct them and resubmit the form
echo "<font color=\"red\">The following errors were detected";
foreach( $errors as $value ) {
echo "<br>$value";
}
echo '</font>';
}
$_POST['pass'] = md5($_POST['pass']);
$insert = "INSERT INTO users (username, password)VALUES ('".$_POST['username']."', '".$_POST['pass']."')";
$add_member = mysql_query($insert);
?>

[squigs]

Maybe I should just return to the original script and set up three error pages which just redirect the user on the die command.. I was hoping to get this one working but it seems to me this script won't behave any other way?...