Jump to content

no data going to sql


capt1701b
 Share

Recommended Posts

Hi all,

 

I am trying to check if all the fields in my php have been completed after the submit button has been clicked, if everything is completed correctly, the data will be passed to my sql table.

 

When I enter the correct details nothing is being passed to the sql table  :, I think it may be my date as it default to year-month-date which is enter in sql as 0000-00-00?

 

Am I on the right track or is it something else ,can any one help please 

<?php
session_start();
//include files
include 'header/header.php';
include 'nav/navigation.php';
include 'init.php';
// define variables and set to empty values
$firstNameErr = $dateErr= $surnameErr = $emailErr = $genderErr = $passwordErr = $confirmpasswordErr ="";
$firstName = $surname = $email = $gender = $date = $password = $confirmpassword="";
 
$day = $_POST['day'];
$mon = $_POST['month'];
$year = $_POST['year'];
$date = $year . "-" . $mon . "-" . $day;
echo $year . "-" . $mon . "-" . $day;
//Store any errors, later check if any of them are no longer empty - if so don't submit the data
$errors = array("submit" => "", "firstname" => "", "surname" => "", "email" => "", "gender" => "", "date" => "", "password" => "", "passwordC" => "", "passwordM" => "");
 
if(isset($_POST["submit"])) {
    if (empty($_POST["firstname"])) {
        $errors["firstname"] = "firstname is required";
    } else {
        $firstname = test_input($_POST["firstname"]);
        // check if name only contains letters and whitespace
        if (!preg_match("/^[a-zA-Z]*$/",$firstName)) {
            $errors["firstname"] = "Only letters and white space allowed";
        }
    }
 
    if (empty($_POST["surname"])) {
        $errors["surname"] = "Surname is required";
    } else {
        $surname = test_input($_POST["surname"]);
        // check if name only contains letters and whitespace
        if (!preg_match("/^[a-zA-Z]*$/",$surname)) {
          $errors["surname"] = "Only letters and white space allowed";
        }
    }
 
    if (empty($_POST["email"])) {
        $errors["email"] = "Email is required";
    } else {
        $email = test_input($_POST["email"]);
        // check if e-mail address is well-formed
        if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
            $errors["email"] = "Invalid email format";
        }
    }
   
    if (empty($_POST["gender"])) {
        $errors["gender"] = "Gender is required";
    } else {
        $gender = test_input($_POST["gender"]);
    }
 
 
    if (empty($_POST["date"])) {
        $errors["date"] = "your DOB is required";
    }
    elseif($_POST["date"] == "Year-month-date") {
        $errors["date"] = "your DOB is required";
    }
    else {
        $date = test_input($_POST["date"]);
        // check if date is well-formed and valid
        if(preg_match("/^(\d{2})-(\d{2})-(\d{4})$/", $date, $sdate)){
            if(!checkdate($sdate[2], $sdate[1], $sdate[3])) $errors["date"] = "Invalid date";
        } else $errors["date"] = "Invalid date format";
    }
 
    if (empty($_POST["password"])) {
        $errors["password"] = "a password is required";
    } else {
        $password = test_input($_POST["password"]);
        // check if name only contains letters and whitespace
        if (!preg_match("/^[a-zA-Z0-9 ]*$/",$password)) {
        $errors["password"] = "Only letters, numbers and white space allowed";
        }
    }
   
    if (empty($_POST["confirm"])) {
        $errors["passwordC"] = "Please confirm your password";
    } else {
        $password = test_input($_POST["confirm"]);
        // check if name only contains letters and whitespace
        if (!preg_match("/^[a-zA-Z0-9 ]*$/",$password)) {
            $errors["passwordC"] = "Only letters, numbers and white space allowed";
        }
    }
   
    if (($_POST["confirm"] != $_POST["password"])){
        $errors["passwordM"] =" Your passwords do not match";
    }
}
 
$isInvalid = false;
 
foreach($errors as $field => $field_error) {
        if(!empty($field_error)) $isInvalid = true;
}
 
if(!$isInvalid) {
    $query =  "INSERT `Membership` (`First_Name`, `Surname`, `Gender`, `DOB`, `Email`, `Password`) VALUES ('$firstname', '$surname', '$gender', '$date','$email', '$password')";
    $result = mysqli_query($connection,$query) or exit ("Error in query: $query. ".mysqli_error($connection));
}
 
function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}
?>
<div class="large-6 columns">
<h2>Register Form</h2>
<p><span style="color:red">required fields.</span></p>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">  
<fieldset>
    <fieldset>
          <legend>First Name</legend>
 <label>
  <input type="text" name="firstname" placeholder="your first name">
   <span style="color:red">
   <?php echo $errors["firstname"];?>
   </span>
  </fieldset>
   <fieldset>
          <legend>Surname</legend>
 <label>
  <input type="text" name="surname" placeholder="your surname">
   <span style="color:red">
   <?php echo $errors["surname"];?>
   </span>
  </fieldset>
  <fieldset>
          <legend>Email</legend>
 <label>
  <input type="text" name="email" placeholder="your email address">
 <span style="color:red">
 <?php echo $errors["email"];?>
 </span>
 </fieldset>
  <fieldset>
          <legend>Gender</legend>
 <label>
  <input type="radio" name="gender" value="female"> Female
  <input type="radio" name="gender" value="male"> Male
  <span style="color:red">
  <?php echo $errors["gender"];?>
 </span>
  <br><br>
  </fieldset>
   
  <fieldset>
          <legend>DOB</legend>
          <div class="small-6 columns">
  <tr> <th> <td>
 <select size="1" name="day" value="Date">
   <option>date</option>
   <option>1</option>
   <option>2</option>
   <option>3</option>
   <option>4</option>
   <option>5</option>
   <option>6</option>
   <option>7</option>
   <option>8</option>
   <option>9</option>
   <option>10</option>
   <option>11</option>
   <option>12</option>
   <option>13</option>
   <option>14</option>
   <option>15</option>
   <option>16</option>
   <option>17</option>
   <option>18</option>
   <option>19</option>
   <option>20</option>
   <option>21</option>
   <option>22</option>
   <option>23</option>
   <option>24</option>
   <option>25</option>
   <option>26</option>
   <option>27</option>
   <option>28</option>
   <option>29</option>
   <option>30</option>
   <option>31</option>
</select>
  <select size="1" name="month" value="Month">  </th>
  <option>month</option>
   <option>1</option>
   <option>2</option>
   <option>3</option>
   <option>4</option>
   <option>5</option>
   <option>6</option>
   <option>7</option>
   <option>8</option>
   <option>9</option>
   <option>10</option>
   <option>11</option>
   <option>12</option>
</select>
   <select size="1" name="year" value="Year">
   <option>Year</option>
   <option>1966</option>
   <option>1967</option>
   <option>1968</option>
   <option>1969</option>
   <option>1970</option>
   <option>1971</option>
   <option>1972</option>
   <option>1973</option>
   <option>1974</option>
   <option>1975</option>
   <option>1976</option>
   <option>1977</option>
   <option>1978</option>
   <option>1979</option>
   <option>1980</option>
   <option>1981</option>
   <option>1982</option>
   <option>1982</option>
   <option>1983</option>
   <option>1984</option>
   <option>1985</option>
   <option>1986</option>
   <option>1987</option>
   <option>1988</option>
   <option>1989</option>
   <option>1990</option>
   <option>1991</option>
   <option>1992</option>
   <option>1993</option>
   <option>1994</option>
   <option>1995</option>
   <option>1996</option>
   <option>1997</option>
   <option>1998</option>
   <option>1999</option>
   <option>2000</option>
   <option>2001</option>
   <option>2002</option>
   <option>2003</option>
   <option>2004</option>
   <option>2005</option>
   <option>2006</option>
   <option>2007</option>
   <option>2008</option>
   <option>2009</option>
   <option>2010</option>
   </div>
</select> </td></tr>
<span style="color:red">
<?php echo $errors["date"];?>
</span>
 </fieldset>
 <fieldset>
          <legend>Password</legend>
 <label>
  <input type="text" name="password" placeholder="your password">
  <span style="color:red">
   <?php echo $errors["password"];?>
   </span>
    <br><br>
<label>
<input type="text" name="confirm"placeholder="Confirm your password">
<span style="color:red">
   <?php echo $errors["passwordC"];?>
</span>
<span style="color:red">
   <?php echo $errors["passwordM"];?>
</span>
</fieldset>
 <br><br>
  <input type="submit" name="submit" value="Submit">
</form>
</fieldset>
<?php
echo "<h2>Your Input:</h2>";
echo $firstname;
echo "<br>";
echo $surname;
echo "<br>";
echo $email;
echo "<br>";
echo $password;
echo "<br>";
echo $gender;
echo "<br>";
echo $date;
//include files
include 'footer/footer.php';
?>
  <script src="js/vendor/jquery.js"></script>
  <script src="js/foundation.min.js"></script>
  <script>
 
  </script>
  </body> 
Edited by capt1701b
Link to comment
Share on other sites

Your code is badly broken.

  • You immediately screw up all input by running it through this weird “test_input” function. Why on earth would you blindly remove all slashes and apply HTML-escaping to everything you receive from the user? What is this supposed to do other than give you a lot of broken data?
  • At the same time, your query is wide open to SQL injection attacks.
  • Your validation rules make no sense. What if my name is José or Björn? Does that mean I'm not allowed to use your website?
  • Your error handling consists of dumping the messages on the screen. Why would you do that? Do you expect your users to do the debugging? Surely this will be helpful for attackers, though.
  • Writing down numbers by hand doesn't make a lot of sense. PHP can in fact count. Even better, replace that stuff with a proper date picker which understands the calendar.

Fix the fundamental problems, then test the code again and come back with a more detailed problem description. I mean, that's what all those error messages are for, right?

 

One obvious issue is the syntax: It's “INSERT INTO”.

Edited by Jacques1
Link to comment
Share on other sites

Hi all,

 

Since I am just learning about php  and sql and trying get my head around it

 

How could I make my query safer?

How would I add éö-' etc... into preg?

Is there a better way to display an error message when a user does not enter any detail into field that is mandatory

 

The calendar I have changed to <input type="date" value="<?php echo date("Y-m-d");?>"> from http://stackoverflow.com/questions/14212527/how-to-set-default-value-to-the-inputtype-date 

but now I can enter a date greater then today, how can I prevent this?

Link to comment
Share on other sites

You should use the PDO database extension instead of mysqli. It's much easier to use and leaves much less room for errors. Read the first few sections of the tutorial, then replace your query with a prepared statement. This will reliably prevent attacks against your database, because the input is separated from the query.

 

A lot of the validation should simply be removed. You cannot really “validate” a name, because there's no universal law for human names. Just check if the input is empty and leave it at that. Passwords shouldn't be restricted either. Exotic characters are good, because they're more difficult to guess. If at all, you should enforce a minimum length. In any case, get rid of the test_input() function.

 

Displaying validation errors is fine. I was talking about your mysqli_error() stuff which prints internal error messages straight on the screen (where they clearly don't belong). Again PDO comes to the rescue, because it can automatically throw an exception whenever something goes wrong. You don't have to do anything then.

 

As to the date validation: Parse the date, check if it's bigger than now (the DateTime class supports standard </> comparisons).

  • Like 1
Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.