Getting Started with Server-Side Validation

Heya, speckledapple. Welcome to TSDN!

Let's see what we can do to help you out.

What do you want your code to do? Give an example.
What is your code doing that you don't want it to do? Give an example.
What is your code *not* doing that it is supposed to? Give an example.

Well to answer the first question I want the code to take values from my form and validate each one. Now as you will see in the code i posted here( not the previous one) i managed to check for values if certain text inputs were empty. However, i am having trouble figuring out how to accept the input values for two radio buttons ( male or female) and birth month, day and year drop down menus. I have also done the coding for requiring no less than 6 inputs for the id and password fields but havent checked for spaces which i want none. Also accepting the input for a check box. Further more noting that not all inputs are required, i only checked empty values for those ones that are required.

[PHP]
<? php

$first = $_POST[\'firstName\'];
$last = $_POST[\'lastName\'];
$country = $_POST[\'countryId\'];
$gender = $_POST[\'genderId\'];
$city = $_POST[\'cityId\'];
$bmonth = $_POST[\'birthMonth\'];
$bday = $_POST[\'birthDay\'];
$byear = $_POST[\'birthYear\'];
$ethoid = $_POST[\'ethoId\'];
$email = $_POST[\'emailId\'];
$pass1 = $_POST[\'pass1\'];
$pass2 = $_POST[\'pass2\'];
$verimage = $_POST[\'verId\'];
$agree = $_POST[\'agreeId\'];

if (($pass1)!=($pass2))
{
header("Location: error-pwrverify.php");
Die();
}

function CheckMail($email)
{
if (eregi("^[0-9a-z]([-_.]?[0-9a-z])*@[0-9a-z]([-.]?[0-9a-z])*\.[a-z]{2,4}$",$email))
{
return true;
}
else
{
return false;
}
}
if ((empty($email)) || (!CheckMail($email)))
{
header("Location: error-email.php");
Die();
}

if (empty($first))
{
header("Location: error-first.php");
Die();
}

if (empty($last))
{
header("Location: error-last.php");
Die();
}

if (empty($country))
{
header("Location: error-country.php");
Die();
}

if (empty($ethoid))
{
header("Location: error-id.php");
Die();
}

if (empty($pass1))
{
header("Location: error-password.php");
Die();
}

if (empty($pass2))
{
header("Location: error-password.php");
Die();
}



$min_lenngth = 6;
if(strlen($ethoid) < $min_lenngth || strlen($pass1) < $min_lenngth)
{
header("Location: error-short.php");
Die();
}
?>

[/PHP]

Heya, speckledapple.

I'm curious as to why you escaped your quotes when referring to $_POST indexes.

Heya, speckledapple.

I'm curious as to why you escaped your quotes when referring to $_POST indexes.

what do you mean? each $_POST index has quotes around it.

Heya, speckledapple.

what do you mean? each $_POST index has quotes around it.

Yes, but I'm curious why you escaped the quotes.

I.e.,
instead of

Heya, speckledapple.



Yes, but I'm curious why you escaped the quotes.

I.e.,

Expand|Select|Wrap|Line Numbers

1. $first = $_POST[\'firstName\'];
2.  

instead of

Expand|Select|Wrap|Line Numbers

1. $first = $_POST['firstName'];
2.  

ouch u got a point, i didnt even realize that. thx for the correction. but im sstill having issues with how to do the other stuff

Heya, speckledapple.

Ok. So:

I love how you have a genderID, by the way. Just in case we ever come up with a third gender, your code is covered :P

Alright. For checking dates and times, you'll probably find it useful to compare the data returned by strtotime().

In terms of radio boxes, try to see what each checkbox sends with the form.

Please check all variables with isset() or empty before using them (this means BEFORE assigning the $_POST data to a variable) and use full URLs with the 'Location:' header, 'http://' and all, or it will not obey the RFC standards, which also means that browsers aren't required to know where you are trying to redirect to, which can cause problems in certain browsers.

Ok i used this code to check if my gender radio boxes were not selected because the values of each box is male and female respectively. But it doesnt work. I also want to try and check for spaces in the username,id and password input fields. I also want to incorporate the agree to terms of service checkbox but its in different form so i dont know how unless i inport it or make it global.

Ok i used this code to check if my gender radio boxes were not selected because the values of each box is male and female respectively.

Then test. Add "print_r($_POST)" to your results and post the form without selecting a gender to see what you get.

I also want to try and check for spaces in the username,id and password input fields.

You may be interested in the character type functions, such as ctype_alnum().

I also want to incorporate the agree to terms of service checkbox but its in different form so i dont know how unless i inport it or make it global.

Why separate the forms...?

Ok i decided to just switch the gender input to text input fields cause i couldnt figure out the radio buttons. Now im trying to display error messages to each of the fields. However, i decided it would be easier just to make all the errors go to one page and just display the field thats in error. This is the code im trying to use.

[PHP]$msg = "";

if (empty($gender))
{
$msg = 'You did not enter properly';
header("Location: error.php");
Die();
}[/PHP]


And this is the way i display it on the error page:
[PHP]<?php
if(isset($msg)){
echo $msg;
}
?>[/PHP]

So far it shows up a blank page. Im trying to get it so i can output different error messages using one variable depending on if the statement is true. That way i can just cut down on making a billion error pages for each one.

Ok i decided to just switch the gender input to text input fields cause i couldnt figure out the radio buttons.

... That's just lazy. You've disappointed me.

Now im trying to display error messages to each of the fields. However, i decided it would be easier just to make all the errors go to one page and just display the field thats in error.

It'd actually be easier to display the errors on the same page as the form so that you can easily allow them to fix the errors.

[PHP]$msg = "";

if (empty($gender))
{
$msg = 'You did not enter properly';
header("Location: error.php");
Die();
}[/PHP]


And this is the way i display it on the error page:
[PHP]<?php
if(isset($msg)){
echo $msg;
}
?>[/PHP]

And how, exactly, do you expect $msg to get to error.php? $msg only exists on the page that you create it on. When you alter the 'Location' header, you are changing the page that you are on, not just the visual aspects.

So far it shows up a blank page. Im trying to get it so i can output different error messages using one variable depending on if the statement is true. That way i can just cut down on making a billion error pages for each one.

All you need is one page to hold the form, process the form, and show errors regarding the processing of the form.

...
All you need is one page to hold the form, process the form, and show errors regarding the processing of the form.

Sounds like AJAX to me. This would enable you to validate any item you wish as the user enters, including checking against the database.

If you want an example of this is in practice visit my site - currently under development.

It means that the user can see what is wrong and they are only allowed to proceed when the form is correct.

It is also good practice (to put it lightly) to validate the data server side as well.

Cheers
nathj

Ok update.....

I managed to go back and properly error check the gender radio buttons( yes i figured it out). I also managed to organize it so it all goes to one error page. Now im working on the database process section and i have it pretty much done except im getting this error when i submit my form. Tried changing a few things and taking out sections of code but it still errors. Theres nothing even on the line so im expecting its something else.

Parse error: syntax error, unexpected $end in /home/simpl64/public_html/ethos/confirm.php on line 189

Heya, speckledapple.

That error means that you opened a curly brace somewhere and didn't close it.

Thanks, its funny that it caused that. Anyway, i now have another error that I cant figure out because i know the syntax is right. But its providing an error as if its invalid.

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource

I have this on two statements in my code...
[PHP]$check = mysql_query("SELECT ethoId FROM member WHERE ethoId = '$ethoid'");
$returned = mysql_fetch_array($check);

if(!empty($returned))
{
echo " This user already exists!";
mysql_close($member);
Die();
}
else
{
$check = mysql_query("SELECT email FROM member WHERE emailId='$email'");
$returned = mysql_fetch_array($check);
if(!empty($returned))
{
echo " This email already is with another account!";
mysql_close($member);
Die();
}[/PHP]

Heya, speckledapple.

Try adding this after every mysql_query:
You might also want to save your sql into a variable so you can output that, too. E.g.:

Ok back again and i seem to be rolling until i hit a bit of a snag. I am getting this error message....

Column count doesn't match value count at row 1

I used the mysql_error to figure that part out. Not understanding why im getting it though. This is the code i think its talking about...

[PHP]$pass1=md5($pass1);
$confirm_code = md5(uniqid(rand()));
$request = "INSERT INTO member values(NULL,'$first','$last','$gender','$country', '$city','$state','$bmonth','$bday','$byear', '$ethoid','$pass1','$email','$confirm_code')";
$results = mysql_query($request);
echo mysql_error();[/PHP]

Disregard that last post, i got that working. Now im stuck though. This problem is a bit harder. I set up an email confirmation script that should update a column in my database when they click the link in their email. However, i am having trouble finding the right record. I think i got the selecting of the column down but the update statement doesnt compute because the ID column is not a variable in the script. So the "where" part in the update statement doesnt work. This is the script, im just trying to update one column out of 15.

[PHP]$yes = "yes";
// Retrieve data from table where row that match this passkey
$sql1 = "SELECT confirm_code FROM member WHERE confirm_code ='$passkey'";
$result1 = mysql_query($sql1);

if($result1){

// Count how many row has this passkey
$count=mysql_num_rows($result1);
if($count==1){

$sql2 = "UPDATE member SET confirmed = '$yes' WHERE id = 'id'";
$result2 = mysql_query($sql2);
echo $sql2, mysql_error();[/PHP]

Heya, speckledapple.

Try this as your first query:
Then adjust the rest of your code where appropriate.

I tried that and i see the problem just dont know how to tackle it. The issue seems that I have no variable to classify in the UPDATE line for id. I have an id column. But it doesnt update the confirmed column to a "yes" when the link is clicked. So i selected id from the table but how do i get into a variable that can be used in the update line so it knows which record im talking about? Because in its current form, if there was more than one record it would be a problem but its not even updating one record.

[PHP]$sql3 = "SELECT id FROM member WHERE confirm_code ='$passkey' limit 1";
$result1 = mysql_query($sql3);
if($result1){

// Count how many row has this passkey
$count=mysql_num_rows($result1);
if($count==1){
echo $sql3, '<br/>', mysql_error();
$sql4 = "UPDATE member SET confirmed = '$yes' WHERE id = '$sql3'";
$result2 = mysql_query($sql4);
}[/PHP]

Heya, speckledapple.

Hint:

Ok, i have broken down the code step by step using the print_r and echo functions to have some kind of result print on the screen. While in the course of doing this i figured out that in the first part of the statement where it selects the records from the database, the resource id ends up always being 31. Obviously there is not 31 records in my database, its only one currently. so i think my problem is the actual selecting of the right ID and then to actually update a specific column in that row. So far ive just hit a nice large wall.

[PHP]$passkey=$_GET['passkey'];
$yes = "yes";
// Retrieve data from table where row that match this passkey
$sql3 = "SELECT id FROM member WHERE confirm_code ='$passkey'";
$result1 = mysql_query($sql3);
$userdata = $result1;


if($result1){

$sql4 = "UPDATE member SET confirmed = '$yes' WHERE id = '$userdata'";
$result2 = mysql_query($sql4);
print_r($sql4);
}
// if not found passkey, display message "Wrong Confirmation code"
else {
echo '<div class="error"> Wrong Confirmation Code!! </div>';
}

if($result2){

echo '<div class="error"> Your account has been confirmed.<br/>Welcome to <br/><strong>Ethos</strong>!!</div>';
mysql_close($member);
Die();
}[/PHP]

Heya, SpeckledApple.

Change this line:
To this:

Ok since i last posted i have done very well in my php coding but now im kinda stuck again. But this time more in phpMyAdmin. Does anyone know how to link tables in that program because is surely cant find an option for it?

Ok since i last posted i have done very well in my php coding but now im kinda stuck again. But this time more in phpMyAdmin. Does anyone know how to link tables in that program because is surely cant find an option for it?

Link Table in PhpMyAdmin? Could you please be more specific?

Heya, Speckled.

Changed thread title to better describe the problem; I don't know how we missed it for so long....

Are you trying to set up foreign key constraints?

Well yea i am trying to link tables in a database in phpMyAdmin using foreign keys. But theres no specific option in that program to do it.

Heya, Speckled.

Are these InnoDB tables or MyISAM (check the operations page for an individual table)?

its an MyISAM table but something tells me, or at least from what i have read, it seems like the other type is better. Especially for a forum that im building from scratch, thats my project btw :)

its an MyISAM table but something tells me, or at least from what i have read, it seems like the other type is better. Especially for a forum that im building from scratch, thats my project btw :)

Hi speckledapple,

At the risk of wading in a bit late on and of being somewhat contreversial I wouldn't bother linking the tables like that.

I've worked on huge databases, both web based and on desktop apps and never bothered with this explicit linking. As long as you know and document what the links are you can code with them in mind. You are then not reliant on something else.

I know there are many arguments against this but I prefer the extra control I get this way. As long as you know when you delete a record, for example, that you need to check other tables as well all will be fine.

As you appear to be building something from scratch you could certainly code this sort of checking in now in your data object and all will be well. It's certainly easier than figuring out PHPMyAdmin - which BTW I really dislike.

That's my take on this particular issue.

Cheers
nathj

I concur with Nathj.

MyISAM is faster than InnoDB, and good exception handling will negate the loss of transactions and foreign key constraints.

OK i seem to be having a simple problem with date and time. At first i had one field to record both the date and time at the time of registration. But i split it into two columns, one date, one time. Though im quite sure the format i put forth is right, its still displaying either blank or wild numbers that obviously dont make any sense. For instance....
[PHP]$date = date("Y-m-d");
$time = time()[/PHP]
That is the code i wrote to put time and date into variables.

regDate
0000-00-00

regTime
838:59:59

And that is the output in the table. The time i know is way off cause i tried it twice and got the same number. And the date just displays 0 like its getting no information. Now the coding should give me current date and time but it doesnt.

Heya, Speckled.

time() outputs the current number of seconds since December 31, 1969 23:59:59, which is probably not what you are going for.

Try this instead: