Server Side Form Validation

The_MA

A little project for anyone with time on their hands? 😉 I want to add server side validation to this form but don't know where to start - or finish :bemused:

There are just two input fields in this form. device and x10_channel fields from my devices table. Both are NOT NULL required fields. Both are alphanumeric data.

x10_channel MUST be 3 characters long and preferably with an input mask of A00 i.e. a letter A-Z followed by a number 01 - 99.

The device must be between 1 and 6 characters long.

The script minus validation is below.

If server side validation is too tricky - perhaps client side validation would be okay but then not everyone has Javascript enabled.... I thought PHP would be better.

<html><head><title>Add a Device</title></head>
<body>
<?php

session_start();

if (!isset($_SESSION['user']) 
   || $_SESSION['user'] !== true)

{
   header('Location: login.php');
   exit;
}

$query = "LOCK TABLES Class WRITE, Student WRITE";
mysql_query($query);

$self = $_SERVER['PHP_SELF'];

$x10_channel = $_POST['x10_channel'];
$device = $_POST['device'];

if( (!$x10_channel) or (!$device) )
{

  $form ="<table width=\"247\" border=\"1\" align=\"center\" cellpadding=\"1\" cellspacing=\"1\" bordercolor=\"#000000\">";
  $form.="<tr bgcolor=\"#CCCCCC\"><td colspan=\"2\"><font size=\"1\" face=\"Verdana\"><center>";
  $form.="Please enter details of new Device";
  $form.="</td></font>";
  $form.="</tr><tr>";
  $form.="<td><font size=\"2\" face=\"Verdana\"><form action=\"$self\"";
  $form.=" method=\"post\">Device:</td>";
  $form.="<td><input type=\"text\" name=\"device\"";
  $form.=" value=\"$device\"></td></tr><tr><td><font size=\"2\" face=\"Verdana\">X10 Channel:</td>";
  $form.="<td><input type=\"text\" name=\"x10_channel\"";
  $form.=" value=\"$x10_channel\">";
  $form.="<tr><td colspan=\"2\"><center><input type=\"submit\" value=\"Add Device\">";
  $form.="</tr></table></form>";
  echo($form);

}
else
{
  $conn = @mysql_connect("localhost","alexm","rugby")
		        or die("Could not connect to MySQL");
  $db = @mysql_select_db("rugby_project",$conn)
		        or die("Could not select Database");
  $sql = "insert into devices (x10_channel,device)
  values (\"$x10_channel\",\"$device\" )";
  $result = @mysql_query($sql,$conn)
		        or die("Could not execute query - username or phone number already exists");
  if($result)
  { 
echo( "<table width=\"30%\" border=\"1\" align=\"center\" cellpadding=\"4\" cellspacing=\"1\" bordercolor=\"#000000\">
<tr bgcolor=\"#CCCCCC\"> 
<td colspan=\"2\"><font size=\"1\" face=\"Verdana\">
<center>Your $device has now been added to the Database</center></font></td></tr></table><p><font size=\"1\" face=\"Verdana\"><center><a href=\"addcommand.php\">Add More</a><p>" );
  }
}

$query = "UNLOCK TABLES";
mysql_query($query);

?>
<p>
<font size="1" face="Verdana"><center>
<a href="javascript:history.go(-1)">Return to Control Panel</a>&nbsp;&nbsp;|&nbsp;
<a href="logout.php">Log out</a>
</body></html>

Kudose

if(!eregi("^[A-Z][0-9]{2}$", $x10_channel))
  die('x10_channel is in invalid format');
if(!eregi("^[A-Za-z]{1,6}$", $device))
  die('device is in an invalid format.');

Should work.

The_MA

I'm thinking of a loop process? Whereby if it is invalid it will loop back to the inital form and place an error message next to the invalid fields and the loop will continue until there are no errors... is that possible? Alternatively... can the error message appear in a pop up box?

Kudose

I wouldnt do a loop. I would have the form check to see if values are available via GET, if there are none, then it is a new form. If there are values, that means someone messed up and you need to popluate the corresponding fields. You could do it really easily with one form:

<input type="text" name="var1" value="<?php echo $_GET['var1']; ?>">

So if there is no $GET, then the field is blank. To create $GET variables, create an error link with them all in the URL.

i.e.

if(!eregi(...))
  die('<a href="page.php?var1='.$var1.'&var2='.$var2.'">You messed up.</a>');

Hope that helps, kinda in a hurry so I cant explain it very well.

The_MA

sounds good - I'll try 🙂