capt1701b Posted April 17, 2017 Share Posted April 17, 2017 (edited) Hi all, I am trying to check if all the fields in my php have been completed after the submit button has been clicked, if everything is completed correctly, the data will be passed to my sql table. When I enter the correct details nothing is being passed to the sql table , I think it may be my date as it default to year-month-date which is enter in sql as 0000-00-00? Am I on the right track or is it something else ,can any one help please <?php session_start(); //include files include 'header/header.php'; include 'nav/navigation.php'; include 'init.php'; // define variables and set to empty values $firstNameErr = $dateErr= $surnameErr = $emailErr = $genderErr = $passwordErr = $confirmpasswordErr =""; $firstName = $surname = $email = $gender = $date = $password = $confirmpassword=""; $day = $_POST['day']; $mon = $_POST['month']; $year = $_POST['year']; $date = $year . "-" . $mon . "-" . $day; echo $year . "-" . $mon . "-" . $day; //Store any errors, later check if any of them are no longer empty - if so don't submit the data $errors = array("submit" => "", "firstname" => "", "surname" => "", "email" => "", "gender" => "", "date" => "", "password" => "", "passwordC" => "", "passwordM" => ""); if(isset($_POST["submit"])) { if (empty($_POST["firstname"])) { $errors["firstname"] = "firstname is required"; } else { $firstname = test_input($_POST["firstname"]); // check if name only contains letters and whitespace if (!preg_match("/^[a-zA-Z]*$/",$firstName)) { $errors["firstname"] = "Only letters and white space allowed"; } } if (empty($_POST["surname"])) { $errors["surname"] = "Surname is required"; } else { $surname = test_input($_POST["surname"]); // check if name only contains letters and whitespace if (!preg_match("/^[a-zA-Z]*$/",$surname)) { $errors["surname"] = "Only letters and white space allowed"; } } if (empty($_POST["email"])) { $errors["email"] = "Email is required"; } else { $email = test_input($_POST["email"]); // check if e-mail address is well-formed if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { $errors["email"] = "Invalid email format"; } } if (empty($_POST["gender"])) { $errors["gender"] = "Gender is required"; } else { $gender = test_input($_POST["gender"]); } if (empty($_POST["date"])) { $errors["date"] = "your DOB is required"; } elseif($_POST["date"] == "Year-month-date") { $errors["date"] = "your DOB is required"; } else { $date = test_input($_POST["date"]); // check if date is well-formed and valid if(preg_match("/^(\d{2})-(\d{2})-(\d{4})$/", $date, $sdate)){ if(!checkdate($sdate[2], $sdate[1], $sdate[3])) $errors["date"] = "Invalid date"; } else $errors["date"] = "Invalid date format"; } if (empty($_POST["password"])) { $errors["password"] = "a password is required"; } else { $password = test_input($_POST["password"]); // check if name only contains letters and whitespace if (!preg_match("/^[a-zA-Z0-9 ]*$/",$password)) { $errors["password"] = "Only letters, numbers and white space allowed"; } } if (empty($_POST["confirm"])) { $errors["passwordC"] = "Please confirm your password"; } else { $password = test_input($_POST["confirm"]); // check if name only contains letters and whitespace if (!preg_match("/^[a-zA-Z0-9 ]*$/",$password)) { $errors["passwordC"] = "Only letters, numbers and white space allowed"; } } if (($_POST["confirm"] != $_POST["password"])){ $errors["passwordM"] =" Your passwords do not match"; } } $isInvalid = false; foreach($errors as $field => $field_error) { if(!empty($field_error)) $isInvalid = true; } if(!$isInvalid) { $query = "INSERT `Membership` (`First_Name`, `Surname`, `Gender`, `DOB`, `Email`, `Password`) VALUES ('$firstname', '$surname', '$gender', '$date','$email', '$password')"; $result = mysqli_query($connection,$query) or exit ("Error in query: $query. ".mysqli_error($connection)); } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?> <div class="large-6 columns"> <h2>Register Form</h2> <p><span style="color:red">required fields.</span></p> <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> <fieldset> <fieldset> <legend>First Name</legend> <label> <input type="text" name="firstname" placeholder="your first name"> <span style="color:red"> <?php echo $errors["firstname"];?> </span> </fieldset> <fieldset> <legend>Surname</legend> <label> <input type="text" name="surname" placeholder="your surname"> <span style="color:red"> <?php echo $errors["surname"];?> </span> </fieldset> <fieldset> <legend>Email</legend> <label> <input type="text" name="email" placeholder="your email address"> <span style="color:red"> <?php echo $errors["email"];?> </span> </fieldset> <fieldset> <legend>Gender</legend> <label> <input type="radio" name="gender" value="female"> Female <input type="radio" name="gender" value="male"> Male <span style="color:red"> <?php echo $errors["gender"];?> </span> <br><br> </fieldset> <fieldset> <legend>DOB</legend> <div class="small-6 columns"> <tr> <th> <td> <select size="1" name="day" value="Date"> <option>date</option> <option>1</option> <option>2</option> <option>3</option> <option>4</option> <option>5</option> <option>6</option> <option>7</option> <option>8</option> <option>9</option> <option>10</option> <option>11</option> <option>12</option> <option>13</option> <option>14</option> <option>15</option> <option>16</option> <option>17</option> <option>18</option> <option>19</option> <option>20</option> <option>21</option> <option>22</option> <option>23</option> <option>24</option> <option>25</option> <option>26</option> <option>27</option> <option>28</option> <option>29</option> <option>30</option> <option>31</option> </select> <select size="1" name="month" value="Month"> </th> <option>month</option> <option>1</option> <option>2</option> <option>3</option> <option>4</option> <option>5</option> <option>6</option> <option>7</option> <option>8</option> <option>9</option> <option>10</option> <option>11</option> <option>12</option> </select> <select size="1" name="year" value="Year"> <option>Year</option> <option>1966</option> <option>1967</option> <option>1968</option> <option>1969</option> <option>1970</option> <option>1971</option> <option>1972</option> <option>1973</option> <option>1974</option> <option>1975</option> <option>1976</option> <option>1977</option> <option>1978</option> <option>1979</option> <option>1980</option> <option>1981</option> <option>1982</option> <option>1982</option> <option>1983</option> <option>1984</option> <option>1985</option> <option>1986</option> <option>1987</option> <option>1988</option> <option>1989</option> <option>1990</option> <option>1991</option> <option>1992</option> <option>1993</option> <option>1994</option> <option>1995</option> <option>1996</option> <option>1997</option> <option>1998</option> <option>1999</option> <option>2000</option> <option>2001</option> <option>2002</option> <option>2003</option> <option>2004</option> <option>2005</option> <option>2006</option> <option>2007</option> <option>2008</option> <option>2009</option> <option>2010</option> </div> </select> </td></tr> <span style="color:red"> <?php echo $errors["date"];?> </span> </fieldset> <fieldset> <legend>Password</legend> <label> <input type="text" name="password" placeholder="your password"> <span style="color:red"> <?php echo $errors["password"];?> </span> <br><br> <label> <input type="text" name="confirm"placeholder="Confirm your password"> <span style="color:red"> <?php echo $errors["passwordC"];?> </span> <span style="color:red"> <?php echo $errors["passwordM"];?> </span> </fieldset> <br><br> <input type="submit" name="submit" value="Submit"> </form> </fieldset> <?php echo "<h2>Your Input:</h2>"; echo $firstname; echo "<br>"; echo $surname; echo "<br>"; echo $email; echo "<br>"; echo $password; echo "<br>"; echo $gender; echo "<br>"; echo $date; //include files include 'footer/footer.php'; ?> <script src="js/vendor/jquery.js"></script> <script src="js/foundation.min.js"></script> <script> </script> </body> Edited April 17, 2017 by capt1701b Quote Link to comment Share on other sites More sharing options...
benanamen Posted April 17, 2017 Share Posted April 17, 2017 (edited) Why do you think this is valid? elseif($_POST["date"] == "Year-month-date") { Edited April 17, 2017 by benanamen Quote Link to comment Share on other sites More sharing options...
NigelRel3 Posted April 17, 2017 Share Posted April 17, 2017 Have you looked at using HTML5 required attribute - this will do a lot of the work for you! Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted April 17, 2017 Share Posted April 17, 2017 (edited) Your code is badly broken. You immediately screw up all input by running it through this weird “test_input” function. Why on earth would you blindly remove all slashes and apply HTML-escaping to everything you receive from the user? What is this supposed to do other than give you a lot of broken data? At the same time, your query is wide open to SQL injection attacks. Your validation rules make no sense. What if my name is José or Björn? Does that mean I'm not allowed to use your website? Your error handling consists of dumping the messages on the screen. Why would you do that? Do you expect your users to do the debugging? Surely this will be helpful for attackers, though. Writing down numbers by hand doesn't make a lot of sense. PHP can in fact count. Even better, replace that stuff with a proper date picker which understands the calendar. Fix the fundamental problems, then test the code again and come back with a more detailed problem description. I mean, that's what all those error messages are for, right? One obvious issue is the syntax: It's “INSERT INTO”. Edited April 17, 2017 by Jacques1 Quote Link to comment Share on other sites More sharing options...
capt1701b Posted April 17, 2017 Author Share Posted April 17, 2017 Hi all, Since I am just learning about php and sql and trying get my head around it How could I make my query safer? How would I add éö-' etc... into preg? Is there a better way to display an error message when a user does not enter any detail into field that is mandatory The calendar I have changed to <input type="date" value="<?php echo date("Y-m-d");?>"> from http://stackoverflow.com/questions/14212527/how-to-set-default-value-to-the-inputtype-date but now I can enter a date greater then today, how can I prevent this? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted April 17, 2017 Share Posted April 17, 2017 You should use the PDO database extension instead of mysqli. It's much easier to use and leaves much less room for errors. Read the first few sections of the tutorial, then replace your query with a prepared statement. This will reliably prevent attacks against your database, because the input is separated from the query. A lot of the validation should simply be removed. You cannot really “validate” a name, because there's no universal law for human names. Just check if the input is empty and leave it at that. Passwords shouldn't be restricted either. Exotic characters are good, because they're more difficult to guess. If at all, you should enforce a minimum length. In any case, get rid of the test_input() function. Displaying validation errors is fine. I was talking about your mysqli_error() stuff which prints internal error messages straight on the screen (where they clearly don't belong). Again PDO comes to the rescue, because it can automatically throw an exception whenever something goes wrong. You don't have to do anything then. As to the date validation: Parse the date, check if it's bigger than now (the DateTime class supports standard </> comparisons). 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.