[PHP] need help with form editing over Inspect element tool

[mlukac89]

Hi, i have problem with editing register form over Inspect element or when u press F12 in mozilla or chrome. When u select country u can edit form on F12 and change country value so form save it like that in database. Problem is because its in foreach loop and i cant get a check if country in post variable is valid, and compare it with that in database. In my $_POST variable country is stored like ' Croatia, hr ' and in database its like 'id, name, alpha_2, alpha_3'.

 

So can i find value i need for example Albania and al wihout any loop ?

// if user is logged in redirect him to index page
if ($general->is_logged() === true) {
	header('Location: index.php');
	exit();
}

// get list of countries
$country = $teams->get_country();

require_once 'core/classes/recaptchalib.php';
$publickey = "***********************";
$privatekey = "***********************";

// process form
if (isset($_POST['register']))
{
	if (isset($_POST['username']) && 
		isset($_POST['nickname']) && 
		isset($_POST['password']) && 
		isset($_POST['repeat_password']) && 
		isset($_POST['email']) && 
		isset($_POST['repeat_email']) && 
		isset($_POST['gender']) && 
		isset($_POST['country']) && 
		isset($_POST['recaptcha_challenge_field']) && 
		isset($_POST['recaptcha_challenge_field']))
	{
		$username 	= trim($general->safe_input($_POST['username']));
		$nickname 	= trim($general->safe_input($_POST['nickname']));
		$password 	= trim($general->safe_input($_POST['password']));
		$rpassword 	= trim($general->safe_input($_POST['repeat_password']));
		$email 		= trim($general->safe_input($_POST['email']));
		$remail 	= trim($general->safe_input($_POST['repeat_email']));
		$gender 	= trim($general->safe_input($_POST['gender']));
		$cntry 		= $general->safe_input($_POST['country']);
		$date_registered = time();
		$password_hash = $general->safepass($password);

		// captcha
		$resp = recaptcha_check_answer ($privatekey, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]);

		// if username is empty
		if (empty($username)) {
			$error[] = 'Username is empty.';

		// if username already exists
		} elseif ($users->user_exists($username) === true) {
			$error[] = 'Username in use, please choose another.';
		
		// username must be between 3 and 20 characters long
		} elseif (strlen($username) < 3 || strlen($username) > 20) {
			$error[] = 'Username must be between 3 and 20 charaters long.';
		}
		
		// if nickname is empty
		if (empty($nickname)) {
			$error[] = 'Nickname is empty.';

		// if nickname in use
		} elseif ($users->nick_exists($nickname) === true) {
			$error[] = 'Nickname in use, please choose another.';

		// nickname must be between 3 and 20 characters long
		} elseif (strlen($nickname) < 3 || strlen($nickname) > 20) {
			$error[] = 'Nickname must be between 3 and 20 characters long.';
		}
				
		// if passowrd field is empty
		if (empty($password)) { 
			$error[] = 'Password filed is empty.'; 
		}

		// if password repeat field is empty
		if (empty($rpassword)) { 
			$error[] = 'Repeat password filed is empty'; 
		}

		// if password and repeat password is not empty
		if (!empty($password) && !empty($rpassword)) {

			// passwords match ? if not throw error message
			if ($password != $rpassword) { 
				$error[] = 'Passwords don\'t match.'; 

			// password must be between 6 and 30 characters long
			} elseif (strlen($password) < 6 || strlen($password) > 30) {
				$error[] = 'Password must be between 6 and 30 characters long.';
			}
		}
		
		// is email empty
		if (empty($email)) { 
			$error[] = 'Email filed is empty.'; 
		}

		// is repeat email is empty
		if (empty($remail)) { 
			$error[] = 'Repeat email filed is empty.'; 
		}
		
		// if email and repeat email is not empty 
		if (!empty($email) && !empty($remail)) {

			// if emails are not same
			if ($email != $remail) {
				$error[] = 'Emails don\'t match.';

			// if email and repeat email is same
			} elseif ($email == $remail) {

				// is email valid
				if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { 
					$error[] = 'Invalid email format.'; 

				// is email in use
				} elseif ($users->email_exists($email) === true) {
					$error[] = 'Email in use, please choose another.'; 
				
				// email must be between 10 and 30 characters long
				} elseif (strlen($email) < 10 || strlen($email) > 30) {
					$error[] = 'Email must be between 10 and 30 characters long.';
				}
			}
		}

		// if gender is empty
		if (empty($gender)) {
			$error[] = 'Please select gender.';
		}

		// if gender is not empty
		if (!empty($gender)) {
			// if gender is Male or Female
			if ($gender == 'Male') {
				$gender = 'Male';
			} elseif ($gender == 'Female') {
				$gender = 'Female';
			} else {
				$error[] = 'Invalid gender.';
			}
		}

		// if country is empty
		if (empty($cntry)) {
			$error[] = 'Please select country.';
		}

		// check if country is valid
		if (!empty($cntry)) {
                        
                        // $newCountry['0'] is name key
                        // $newCountry['1'] is alpha_2 key
                        $newCountry = explode(',', $cntry);

		        if (in_array($newCountry['0'], $country['name'])) {
				$error[] = 'VALID.';
			} else {
				$error[] = 'Invalid country.';
			}
		}

		// check if capthha is valid
		if (!$resp->is_valid) {
		    $error[] = 'Invalid captcha code.';
		}

		// if no errors register user
		if (empty($error) === true) {
			//$add_user = $users->register_user($username, $password_hash, $email, $gender, $date_registered, $cntry, $nickname);
			unset($_POST); // clean $_post variable
			echo 'REGISTER USER !';
		}


	
		

		/*			if ($DBH->lastInsertId())
					{
						header('Location: index.php?page=register_success');
						exit();
					}
					else
					{
						$error = '<p class="error-msg">There was a problem, please try again.</p>';
					}*/
		
	}
}

?>

 <script type="text/javascript">
 var RecaptchaOptions = {
    theme : 'clean'
 };
 </script>

<h3>Register</h3>

<?php
if (!empty($error)) {
	echo '<div style="padding:10px;margin:0 10px;border:1px solid #f3f3f3;background:#E35454;color:#fff;"><ul style="margin:0 0 0 20px;">';
	foreach ($error as $error) {
		echo '<li>'.$error. '</li>';
	}
	echo '</ul></div>';
}
?>

<form action="" method="POST" class="register-form">
	<input type="text" name="username" size="40" maxlength="20" placeholder="Username" value="<?php if (isset($_POST['username'])) { echo htmlentities($_POST['username'], ENT_QUOTES, "UTF-8"); } ?>" required>   
	<input type="text" name="nickname" size="40" maxlength="20" placeholder="Nickname" value="<?php if (isset($_POST['nickname'])) { echo htmlentities($_POST['nickname'], ENT_QUOTES, "UTF-8"); } ?>" required><br /><br />
	<input type="password" name="password" size="40" maxlength="30" placeholder="Password" required>   
	<input type="password" name="repeat_password" size="40" maxlength="30" placeholder="Repeat password" required><br /><br />
	<input type="text" name="email" size="40" maxlength="30" placeholder="Email" value="<?php if (isset($_POST['email'])) { echo htmlentities($_POST['email'], ENT_QUOTES, "UTF-8"); } ?>" required>   
	<input type="text" name="repeat_email" size="40" maxlength="30" placeholder="Repeat email" value="<?php if (isset($_POST['repeat_email'])) { echo htmlentities($_POST['repeat_email'], ENT_QUOTES, "UTF-8"); } ?>" required><br /><br />
	<select name="gender" required>
		<option value="">Select gender</option>
		<option value="Male">Male</option>
		<option value="Female">Female</option>
	</select>   
	<select name="country" style="width: 215px;" required>
		<option value="">Select country</option>
			<?php
				foreach ($country as $key) 
				{
					echo '<option value="'.$key['name'].','.$key['alpha_2'].'">'.$key['name'].'</option>';
				}
			?>
	</select>
	<br><br>
	<center><?php echo recaptcha_get_html($publickey); ?></center>
	<br>
	<center><input type="submit" name="register" value="Register" class="small-button"></center>
</form>

[Jacques1]

Sending some fancy country name string to the form processing script makes no sense.

 

The point of the form value is to uniquely identify the chosen country. So use the country ID or the alpha-2 code or the alpha-3 code or any other unique identifier. Then check if this identifier exists in your database:

-- check if the user-chosen value "HR" exists in the database
SELECT 'HR' IN (
	SELECT alpha_2
	FROM countries
)
;

[mlukac89]

Thanks for reply, i made it now like that nad now all works,

But i was trying to put Country and key in one try because i have on user profile and on team profile 1 field where is country nad alpha_2 key and i use that alpha_2 key to get country flag picture like this

$country = explode(',', $USERDATA['country']);

echo $country['0'] . '  ' . '<span style="display: inline-block; vertical-align: text-top;"><img src="images/flags/'.$country['1'].'.png"></span>';

but nevermind i can make 1 more extra query to get Country name later for user profile.

 

Here is not working version of form validation

// check if country is valid
if (!empty($cntry)) {
    if ($teams->get_only_country($cntry) === false) {
        $error[] = 'Invalid country.';
    }
}

And query

public function get_only_country($alpha_2)
	{
		$query = $this->db->prepare("SELECT alpha_2 FROM countries WHERE alpha_2 = ?");
		$query->bindValue(1, $alpha_2);
		$query->execute();

		$row = $query->rowCount();

		if ($row == 1)
		{
			return true;
		}
		else
		{
			return false;
		}
	}

Edited June 2, 2014 by mlukac89