help with form validation

ouch_

Hi,
I'm not sure how i code my validation is check password and confirm password as well as email and confirm e-mail to verify if they are the same.

I have already added a required field validation using javascript with dreamweaver. Anyone can help me on this one? Thanks.

function MM_validateForm() { //v4.0
  var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
  for (i=0; i<(args.length-2); i+=3) { test=args[i+2]; val=MM_findObj(args[i]);
    if (val) { nm=val.name; if ((val=val.value)!="") {
      if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@');
        if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an e-mail address.\n';
      } else if (test!='R') { num = parseFloat(val);
        if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
        if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
          min=test.substring(8,p); max=test.substring(p+1); 
          if (num<min || max<num) errors+='- '+nm+' must contain a number between '+min+' and '+max+'.\n';
    } } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is required.\n'; }
  } if (errors) alert('The following error(s) occurred:\n'+errors);
  document.MM_returnValue = (errors == '');
}

Rodney_H_

I am not sure I totally understand what you are asking, but me thinks the code you posted is JavaScript and not PHP. Did you want a critique of the JavaScript? If so, a JS forum may be better for you. Do you want to do something in PHP that you are currently using JS for? Please clarify your question.... Thanks.

(Maybe I don't understand cos I need more sleep LOL...)

Roger_Ramjet

Regardless of whether your js works or not you need to verify the data in the target script. This is because people can have js turned off, or override it with their own code. So, first thing you need to do is to read mysql_real_escape_string and use the 'best practice code there on your user input.

To verify that all fields are complete and the relvent ones match you need to do something like this

$missing = array();
// check all required field have an entry
if (!isset($_POST['email1'])) { $missing[] = 'email1'}
if (!isset($_POST['email2'])) { $missing[] = 'email2'}
if (!isset($_POST['pass1'])) { $missing[] = 'pass1' }
if (!isset($_POST['pass2'])) { $missing[] = 'pass2' }
// is any fields were missing then send a message back to the user and abort processing
if (count($missing) > 0 ) {
   echo 'the following fields are required : ' . implode($missing, ',');
   exit;
}
// now check that the values match

if ($_POST['email1'] != $_POST['email2']) {
   echo 'the email entries do not match, please resubmit';
   exit;
}

// etc for password

$email = quote_smart($_POST['email1']);
// etc for all fields - quote_smart is the best parctice code I mentioned

ouch_

actually, ya i was asking abt Js and sorry i didnt know i was to post php codes only. But i can also use php codes if it works. i will try it out. thanks.

ouch_

i'm not sure where i should add those codes.

i dont need validations for null values. Just need to compare password and confirm password as well as email and confirm e-mail.

Been trying various ways to insert codes but i get undefined errors.

my codes. Someone give me guidance where i should add please. 😕

<?php require_once('../Connections/a.php'); ?>
<?php
// *** Redirect if username exists
$MM_flag="MM_insert";
if (isset($_POST[$MM_flag])) {
  $MM_dupKeyRedirect="register.php?error=cuid";
  $loginUsername = $_POST['uid'];
  $LoginRS__query = "SELECT uid FROM usertbl WHERE uid='" . $loginUsername . "'";
  mysql_select_db($database_a, $a);
  $LoginRS=mysql_query($LoginRS__query, $a) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);

  //if there is a row in the database, the username was found - can not add the requested username
  if($loginFoundUser){
    $MM_qsChar = "?";
    //append the username to the redirect page
    if (substr_count($MM_dupKeyRedirect,"?") >=1) $MM_qsChar = "&";
    $MM_dupKeyRedirect = $MM_dupKeyRedirect . $MM_qsChar ."requsername=".$loginUsername;
    header ("Location: $MM_dupKeyRedirect");
    exit;
  }
}

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    

    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
/*if()
{
	if((strcmp($_POST['pwd'],$_POST['cpwd']))==0)
	{

} 
$MM_dupKeyRedirect="register.php";
header ("Location: $MM_dupKeyRedirect");
exit;
}*/
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
 	 $insertSQL = sprintf("INSERT INTO usertbl (uid, pwd, FirstName, LastName, gender, address, `level`, mail, contact) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['uid'], "text"),
                       GetSQLValueString($_POST['pwd'], "text"),
                       GetSQLValueString($_POST['fname'], "text"),
                       GetSQLValueString($_POST['Lname'], "text"),
                       GetSQLValueString($_POST['gender'], "text"),
                       GetSQLValueString($_POST['address'], "text"),
                       GetSQLValueString($_POST['level'], "text"),
                       GetSQLValueString($_POST['email'], "text"),
                       GetSQLValueString($_POST['contact'], "int"));

mysql_select_db($database_a, $a);
 $Result1 = mysql_query($insertSQL, $a) or die(mysql_error());

$insertGoTo = "register.php?insert=true";
 if (isset($_SERVER['QUERY_STRING'])) {
	$insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
	$insertGoTo .= $_SERVER['QUERY_STRING'];
 	}
header(sprintf("Location: %s", $insertGoTo));
}

$stat = 'Guest';
?>

Roger_Ramjet

You do all input validation at the top of your target script.

And yes you do need to worry about NULL values unless you want to write scripts that break easily cos this is the web and anything can happen between the client and your server.

jacobjmorris

Hi Roger

Excellent post! I've been needing help with the exact same issue, and your PHP code below is very helpful.

However, I've been reading this page on mysql_real_escape_string. It appears this is a string you use to prevent hackers from accessing your database when submitting data through a form. I'm still unclear as to what it exactly does and how I integrate it into a similar registration form.

Is this string something you should also use on every form field?

Thanks
Jacob

Roger Ramjet wrote:
Regardless of whether your js works or not you need to verify the data in the target script. This is because people can have js turned off, or override it with their own code. So, first thing you need to do is to read mysql_real_escape_string and use the 'best practice code there on your user input.

To verify that all fields are complete and the relvent ones match you need to do something like this
$missing = array();
// check all required field have an entry
if (!isset($_POST['email1'])) { $missing[] = 'email1'}
if (!isset($_POST['email2'])) { $missing[] = 'email2'}
if (!isset($_POST['pass1'])) { $missing[] = 'pass1' }
if (!isset($_POST['pass2'])) { $missing[] = 'pass2' }
// is any fields were missing then send a message back to the user and abort processing
if (count($missing) > 0 ) {
   echo 'the following fields are required : ' . implode($missing, ',');
   exit;
}
// now check that the values match

if ($_POST['email1'] != $_POST['email2']) {
   echo 'the email entries do not match, please resubmit';
   exit;
}

// etc for password

$email = quote_smart($_POST['email1']);
// etc for all fields - quote_smart is the best parctice code I mentioned

Roger_Ramjet

OK. mysql real escape string should be used on any and all user input that will be included in any query on your database. The quote_smart function in the manual caters for all data types and all server configurations and should be used on all input fields that will be built into any query.