Validation - Store the data before page refresh

[nealios]

Hello,

 

Im performing some php validation on a form, before it is entered into the database.

 

It check the validity of the field in a separate insert script, it then relays the message back to the form if there is an error.

 

The problem is when the error message relays the whole page is refreshed so the user loses any data previously entered.

 

Is there a way to temporarily save the data if there is an error?

 

e.g. error that check to see if an email is valid.

 

if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email))
 {
	$message15 = "Error: Please email is in the right format";
	header("Location: newcustomer.php?message15=$message15");
	exit();
}

 

 

[Cep]

Sessions

[nealios]

Thanks for your reply,

 

can you elaborate on how i could do this? or do you know any useful links?

[berridgeab]

I did it the very painful long winded way of: -

 

1 - Page Loads and Checks if the User has submitted anything previously

2 - If no then just load the page as Normal with the form and empty fields.

3 - If yes then omit the same form, but simply Grab all the values From the $_POST and fill them in as the default value for a field.

 

This is extremely longwinded, and there is probably a far easier way of doing this, however this is the only way I knew how to. Also this will only work with HTML entities that allow Default values to be filled in first.

 

 

 

[Cep]

If you check the forum there is a post regarding Sessions. Also you can use the php manual at www.php.net and here in the function reference http://www.php.net/manual/en/ref.session.php

 

Never use $_POST or $_GET for this type of thing (unless there is a very good reason) as these two data resources can be changed by a malicious user.

[berridgeab]

Hi,

 

In regard to the Possibility of a MySQL attack it is not a problem as we are not storing the values into the MySQL database yet, we are simply omitting what the user previously typed in.

 

I cannot send or reply to PM's for some reason so I will post here: -

 

The way I would do it is: -

 

//Form.php

//Check if user has submitted the form
if(isset($_POST['submit']))
{

//Get Data and Do Error Checking here i.e Remove slashes etc, i assume you already have this in place
$data = $_POST['name'];
$data2 = $_POST['age'];

//Some basic error checking you will want way more than this in your final script but it is just for example
if (empty($data) || empty ($data2))
{

 

 

[berridgeab]

Hi,

 

In regard to the Possibility of a MySQL attack it is not a problem as we are not storing the values into the MySQL database yet, we are simply omitting what the user previously typed in.

 

I cannot send or reply to PM's for some reason so I will post here: -

 

The way I would do it is: -

 

<?php
//Form.php

//Check if user has submitted the form
if(isset($_POST['submit']))
{

//Get Data and Do Error Checking here i.e Remove slashes etc, i assume you already have this in place
$data = $_POST['name'];
$data2 = $_POST['age'];

//Some basic error checking you will want way more than this in your final script but it is just for example
if (empty($data) || empty ($data2))
{

//Output an Error Message and Redisplay your HTML Form
echo "Error! You have not filled in the required fields";
include ('form.php');
}
else
{
//Store Data into your Database
}
}
//Else if The submit button was not pressed (i.e user has only just arrived at the form)
else
{
include ('form.php');
}
?>

 

Then for your HTML Form I would have something like: -

<input type="text" name="name" class="text" value = "<?php echo $_POST['name']; ?>" />

 

Basically this sets the default value of the Name Text field of whatever was posted previously. If nothing was posted previously (i.e no data has been submitted yet), then the Default value would be nothing or NULL and just show an empty text box.

 

As I mentioned before this is a Bad way of doing what you need and is longwinded, however I no of no other way of doing this.

[Cep]

SQL Injection is not the only form of attack a $_POST or $_GET resource can leave you open too if you do not properly validate the data being entered. Sessions are a much more secure then using $_POST or $_GET. Plus with Sessions you are not having to re-process the information, the server already has it.

[berridgeab]

Was not aware of that, what kind of Attack could someone perform if all you are re-displaying the data like the example above? I'm a bit worried now as I use that in one of my Websites which is open to Public Access.

[Cep]

That is where you are wrong, you are not just redisplaying information, you are allowing a user to perform a task on the server by leaving an opening in your code.

 

Your display is only an outputted process from the server once your script has executed. If I inserted malicious code into that opening that then executed on your server before the remainder of your script I could make it do a whole heap of things, even exiting your script entirely.

 

You need to be aware of cross site scripting attacks, XSS (I would google it if you are not aware)