Validate form and insert into Database with PHP [closed]

3

Hello

I'm still a beginner in PHP and I staggered by validating the contact form on my site.

It completes client-side validation using Javascript, but the server side is still not completing the task, so ask for your help.

I have the HTML form below:

<form id="form" name="contactForm" method="post" action="php/Form.php">
            <div>
                <label for="name">Your name</label> 
                <input type="text" id="name" name="name" maxlength="40" placeholder="Write your Name"   >
                <span class="error"><?php echo $nameError;  ?></span>
            </div>
            <div>
                <label for="email">Your email</label>
                <input type="email" id="email" name="user_mail" placeholder="[email protected]">
                <span class="error"><?php echo $emailError;  ?></span> 
            </div>                
            <div>
                <label for="topic">Select Topic</label>
                <select id="topic" name="topic">
                    <option selected disabled hidden value="">Choose a Topic</option>
                    <option value="link">Site Link</option>
                    <option value="copyright">Copyright</option>
                    <option value="errors">Site/Article errors</option>
                    <option value="feedback">Feedback</option>
                    <option value="other">Other</option>
                </select>
                <span class="error"><?php echo $topicError;  ?></span>
            </div>                
            <div>
                <label for="msg">Your message</label>
                <textarea id="msg" name="user_message" placeholder="Write your message"></textarea>
                <span class="error"><?php echo $msgError;  ?></span>
            </div>                
            <div class="button">
                <button type="submit" id="submit" name="submit"  value="true">Submit</button> 
                <span class="success"></span>
            </div>
        </form>

And in form_contacts.php I wrote the following code:

$servername = "localhost:3306";
$username = "root";
$password = "";
$dbname = "site_comboios";


$name = $_POST['name'];
$email = $_POST['user_mail'];
$topic = $_POST['topic'];
$msg = $_POST['user_message'];


if( isset( $_POST['submit'])) {
if(empty( $name) || isset($name) ) {
    $nameError = "Name is required" ;
}

if(empty( $email) || isset($email)) {
    $emailError = "Email is required";
} elseif(filter_var($email,FILTER_VALIDATE_EMAIL)) {
  $emailError = "Please insert a correct email address";  
}  

if(empty( $topic) || isset($topic) ) {
    $topicError = "Please choose a topic";
} 

if(empty( $msg) || isset($msg) ) {
    $msgError = "Let us know your opinion";
}
}

//Create connection to database
$mysqli = new mysqli($servername, $username, $password, $dbname);

//check connection
if($mysqli->connect_errno) {
echo 'Error connecting to database';
}

//Prepared Statement
$stmt = $mysqli->prepare("INSERT INTO contacts(Nome, Email, Topico,  Mensagem)  VALUES(?, ?, ?, ?)" );
$stmt->bind_param('ssss', $name, $email, $topic, $msg);
$stmt->execute();

What happens when you press the "Submit" button, it is submitted even without any data entered! (this test is always done with Javascript turned off, of course)

Does not do any validation and a new record is always created in the database.

What am I doing wrong in the validation part?

Thanks for the help

    
asked by anonymous 28.12.2016 / 02:22

1 answer

0

By analyzing your code, you see the lack of validation of when a new record should be inserted.

You see, you validate input to input . But it does not validate whether or not to be inserted, just insert.

Based on your validation, the fastest solution would be to replace the error variables with an array (it's easier to validate).

$errorList = [];

if(empty($_POST['user_mail'])) {
    $errorList["emailError"] = "Email is required";
} else {
    $email = test_input($_POST['user_mail']);
}

And validate if there are error messages:

if (count($errorList) == 0) {
    $sql = "INSERT INTO formulario_contactos (Nome, Email, Topico, Mensagem)
    VALUES ('$name', '$email' , '$topic' , '$mensagem')";

    if ($conn->query($sql) === TRUE) {
        echo 'Your message has been successfully sent';
    } else {
        echo 'Error'. $sql . $conn->error;    
    }
} 
else 
{
    /** tratamento de erros **/
}

This would solve the validation problem when submitting your form. However, your code does not only have this problem. The first is that he is vulnerable. The mysqli_real_escape_string function is not to protect your code, just to escape some characters, use prepared statements instead. You can read more about SQL injection at the link below. There is only one topic about mysqli_real_escape_string . link

By performing the above procedure, the test_input function becomes useless. Excluding only trim that can be used in some cases that really can not occur extra spaces.

The sanitization you are performing is meant to be exhibit, nothing more. It's not a security, so in addition to prepared statements , there's no need for more for your code. Sanitizations for display must be done at the time of display and not at the time of insertion.

    
28.12.2016 / 13:21