Flaw in my code

methodlessman

Hello, I'm new here and I signed up because I am learning PHP and trying to put together a website. I am currently attempting to build a form validation system that will highlight the names of input fields that contain improper data. I am using a session to store a string that contains the names of the input fields with errors. The code in the form is supposed to search the string in the session variable for its name and print "error" if it finds it. But the HTML code never seems to parse more than once.

<?php 
	session_start();
	$_SESSION['vars'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Sign Up Form</title>
<script type="text/javascript" src="country.js"></script>
<style type="text/css">label.error {color:#ff0000}</style>
</head>
<body>

<?php

// connect_db() is a funtion that will connect with the server and display error messages when it cannot connect
function connect_db()
{
	include('db_login.php'); // db_login contains the connection details
	$db_handle = mysql_connect($server,$username,$password);

	if(!db_handle) // Cannot connect
	{
		print die('Could not establish connection with database.<br />' . mysql_error());
	}
	else // Does connect
	{
		print $db_handle . " Connection to database successfully established.\n";		
		$db_found = mysql_select_db($database);
	}
}

// write_user_data() will both validate and post user data to the database
function write_user_data()
{				
		// Make form data global variables by placing outside any function
		$user_intention = mysql_real_escape_string($_POST[user_intention]);
		$title = mysql_real_escape_string($_POST[title]);
		$first_name = mysql_real_escape_string($_POST[first_name]);
		$last_name = mysql_real_escape_string($_POST[last_name]);
		$password = mysql_real_escape_string($_POST[password]);
		$password1 = mysql_real_escape_string($_POST[password1]);
		$phone1 = mysql_real_escape_string($_POST[phone1]);
		$email1 = mysql_real_escape_string($_POST[email1]);
		$email2 = mysql_real_escape_string($_POST[email2]);
		$user_website = mysql_real_escape_string($_POST[user_website]);
		$country = mysql_real_escape_string($_POST[country]);
		$state = mysql_real_escape_string($_POST[state]);	
		$full_name = "$first_name $last_name";		

// VALIDATE FORM DATA

$form_errors; // Stores the HTML name of all fields with errors(run through real_escape before output)

// EMAIL	
if ((preg_match('/^([a-z0-9])(([-a-z0-9._])*([a-z0-9]))*\@([a-z0-9])' .
'(([a-z0-9-])*([a-z0-9]))+' . '(\.([a-z0-9])([-a-z0-9_-])?([a-z0-9])+)+$/i',$email1) === 0) || (empty($email1)))
	{
		$form_errors = "email1%";
	}
	if (strcmp($email1,$email2) != 0)
	{
		$form_errors .= "email2%";
	}

// PASSWORD
// Password must be at least 1 and not more than 15 characters long and only contain letters and numbers
if ((preg_match('/[[:alnum:]]/i',$password) === 0) || (empty($password)))
{
	$form_errors .= "password%";
}
if (strcmp($password,$password1) != 0)
{
	$form_errors .= "password1%";	
}

// NAMES
if ((preg_match('/a-z/i',$first_name) != 0) || (empty($first_name)))
{
	$form_errors .= "first_name%";
}
if ((preg_match('/a-z/i',$last_name) != 0) || (empty($last_name)))
{
	$form_errors .= "last_name%";
}	

// Reprint form with CSS classes relabeled to error
// Does the form have errors?
if (!empty($form_errors))
{
	print "Attempting to register variables in session array:<br />";
	echo ('$form_errors') . " = " . $form_errors . "<br />";
	$_SESSION['vars'] = $form_errors;
	print_r($_SESSION['vars']);
}
else
{		
	// Set what is to be sent
	$query = "INSERT INTO user  (id,user_intention,title,first_name,last_name,password,phone1,email1,user_website,country,state) 
	VALUES ('','$user_intention','$title','$first_name','$last_name','$password','$phone1','$email1','$user_website','$country','$state')";

	if (!mysql_query($query))
	{
		die('Error: ' . mysql_error()); 
	} 
	print $full_name . " was successfully added to your database.<br />";
}
}

if ($_POST['process'] === '1')
{
	print "Process = 1";
	connect_db(); 
	write_user_data();
}
else
{
	print "Process = 0";
}
?>

<form action="signup1.php" method="POST">
<table width="98%" border="0">
  <tr>
    <td>
    Complete the form below to sign up.
    </td>
  </tr>
  <tr>
    <td>
    <label>
    <b>Are you an: </b>
    <select name="user_intention">
    	<option>Investor</option>
        <option>Entrepreneur</option>
        <option>Both</option>
    </select> 
    </label>
    </td>
  </tr>
  <tr>
    <td>
    <label>
    	<b>Title: </b>
        	<select name="title">
            	<option>Mr</option>
                <option>Ms</option>
                <option>Mrs</option>
            </select>
    </label>
    </td>
  </tr>
  <tr>
    <td>
    <label class=<?php if(strpbrk($_SESSION['vars'],"first_name%") != false){ echo ('"first_name"'); } else { echo ('"error"'); } ?>>    	
        <b>First Name: </b><input type="text" name="first_name" />
    </label>
    <label  class="last_name">    

        &nbsp;&nbsp;&nbsp;&nbsp;<b>Last Name: </b><input type="text" name="last_name" />
    </label>
    </td>
  </tr>
  <tr>
    <td>
    <label class="password">
        <b>Password: </b><input type="text" maxlength="15" name="password" />
    </label>
    <label class="password1">    

        &nbsp;&nbsp;&nbsp;&nbsp;<b>Confirm Password: </b><input type="text" maxlength="15" name="password1" /><br />
        Your password may be upto 15 characters in length and may contain only letters and numbers.
    </label>
    </td>
  </tr>  

  <tr>
    <td>
    <label>
    	<b>Phone Number: </b><input type="text" name="phone1" />
    </label>
    </td>
  </tr>
  <tr>
    <td>
    <label class = "email1">
        <b>Email :</b><input type="text" name="email1" />
    </label>
    <label class="email2">    

        &nbsp;&nbsp;&nbsp;&nbsp;<b>Confirm Email :</b><input type="text" name="email2" />
    </label>
    </td>

  </tr>
  <tr>
    <td>
    <label>
    	<b>Website URL: </b><input type="text" name="user_website" />
    </label>
    </td>
  </tr>
  </tr>
  <tr>
    <td>
    <label>
    	<b>Country: </b><select id='countrySelect' name='country' onchange='populateState()'></select>
        					<select id='stateSelect' name='state'></select>
        					<script type="text/javascript">initCountry('US');</script>
    </label>
    </td>
  </tr> 
  <tr>
  	<td>
	<input type="hidden" name="process" value="1">
    <input type="submit" value="Go!" />
    </td>
  </tr> 
</table>
</form>

</body>
</html>

I have pasted the code in its entirety because I think that the problem may be that PHP does parse the way I think it does. If anyone can see anything obviously wrong with the program flow please let me know. All critiques are welcomed, but please be kind 🙂

methodlessman

I have updated my code a good deal, but it still doesn't seem to change the colors of inout boxes that have errors.

<?php 
	session_start();
	$_SESSION['vars'] = ""; // Clears 'vars' when page URL is called again, but not on page reload
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Sign Up Form</title>
<script type="text/javascript" src="country.js"></script>
<style type="text/css">label.error {color:#ff0000}</style>
</head>
<body>

<?php

// connect_db() is a funtion that will connect with the server and display error messages when it cannot connect
function connect_db()
{
	include('db_login.php'); // db_login contains the connection details
	$db_handle = mysql_connect($server,$username,$password);

	if(!db_handle) // Cannot connect
	{
		print die('Could not establish connection with database.<br />' . mysql_error());
	}
	else // Does connect
	{
		print $db_handle . " Connection to database successfully established.\n";		
		$db_found = mysql_select_db($database);
	}
}

// write_user_data() will both validate and post user data to the database
function write_user_data()
{				
		// Make form data global variables by placing outside any function
		$user_intention = mysql_real_escape_string($_POST[user_intention]);
		$title = mysql_real_escape_string($_POST[title]);
		$first_name = mysql_real_escape_string($_POST[first_name]);
		$last_name = mysql_real_escape_string($_POST[last_name]);
		$password = mysql_real_escape_string($_POST[password]);
		$password1 = mysql_real_escape_string($_POST[password1]);
		$phone1 = mysql_real_escape_string($_POST[phone1]);
		$email1 = mysql_real_escape_string($_POST[email1]);
		$email2 = mysql_real_escape_string($_POST[email2]);
		$user_website = mysql_real_escape_string($_POST[user_website]);
		$country = mysql_real_escape_string($_POST[country]);
		$state = mysql_real_escape_string($_POST[state]);	
		$full_name = "$first_name $last_name";		

// VALIDATE FORM DATA

$form_errors; // Stores the HTML name of all fields with errors(run through real_escape before output)

// EMAIL	
if ((preg_match('/^([a-z0-9])(([-a-z0-9._])*([a-z0-9]))*\@([a-z0-9])' .
'(([a-z0-9-])*([a-z0-9]))+' . '(\.([a-z0-9])([-a-z0-9_-])?([a-z0-9])+)+$/i',$email1) === 0) || (empty($email1)))
	{
		$form_errors = "email1%";
	}
	if (strcmp($email1,$email2) != 0)
	{
		$form_errors .= "email2%";
	}

// PASSWORD
// Password must be at least 1 and not more than 15 characters long and only contain letters and numbers
if ((preg_match('/[[:alnum:]]/i',$password) === 0) || (empty($password)))
{
	$form_errors .= "password%";
}
if (strcmp($password,$password1) != 0)
{
	$form_errors .= "password1%";	
}

// NAMES
if ((preg_match('/a-z/i',$first_name) != 0) || (empty($first_name)))
{
	$form_errors .= "first_name%";
}
if ((preg_match('/a-z/i',$last_name) != 0) || (empty($last_name)))
{
	$form_errors .= "last_name%";
}	

// Reprint form with CSS classes relabeled to error
// Does the form have errors?
if (!empty($form_errors))
{
	print "Attempting to register variables in session array:<br />";
	echo ('$form_errors') . " = " . $form_errors . "<br />";
	$_SESSION['vars'] = $form_errors;
	print_r($_SESSION['vars']);
}
else
{		
	// Set what is to be sent
	$query = "INSERT INTO user  (id,user_intention,title,first_name,last_name,password,phone1,email1,user_website,country,state) 
	VALUES ('','$user_intention','$title','$first_name','$last_name','$password','$phone1','$email1','$user_website','$country','$state')";

	if (!mysql_query($query))
	{
		die('Error: ' . mysql_error()); 
	} 
	print $full_name . " was successfully added to your database.<br />";
}
}

// Has form been submitted yet
if(isset($_POST['submit']))
{
   print "Process = 1";
   connect_db(); 
   write_user_data();
}
else
{
	print "Process = 0";
	print_r($_SESSION['vars']);
}
?>

<form action="signup1.php" method="POST">
<table width="98%" border="0">
  <tr>
    <td>
    Complete the form below to sign up.
    </td>
  </tr>
  <tr>
    <td>
    <label>
    <b>Are you an: </b>
    <select name="user_intention">
    	<option>Investor</option>
        <option>Entrepreneur</option>
        <option>Both</option>
    </select> 
    </label>
    </td>
  </tr>
  <tr>
    <td>
    <label>
    	<b>Title: </b>
        	<select name="title">
            	<option>Mr</option>
                <option>Ms</option>
                <option>Mrs</option>
            </select>
    </label>
    </td>
  </tr>
  <tr>
    <td>
    <label class='<?php if(strpbrk($_SESSION['vars'],"first_name%") === false){ echo "first_name"; } else { echo "error"; } ?>'>    	
        <b>First Name: </b><input type="text" name="first_name" />
    </label>
    <label  class=<?php if(strpbrk($_SESSION['vars'],"last_name%") === false){ echo ('"last_name"'); } else { echo ('"error"'); } ?>>    

        &nbsp;&nbsp;&nbsp;&nbsp;<b>Last Name: </b><input type="text" name="last_name" />
    </label>
    </td>
  </tr>
  <tr>
    <td>
    <label class="password">
        <b>Password: </b><input type="text" maxlength="15" name="password" />
    </label>
    <label class="password1">    

        &nbsp;&nbsp;&nbsp;&nbsp;<b>Confirm Password: </b><input type="text" maxlength="15" name="password1" /><br />
        Your password may be upto 15 characters in length and may contain only letters and numbers.
    </label>
    </td>
  </tr>  

  <tr>
    <td>
    <label>
    	<b>Phone Number: </b><input type="text" name="phone1" />
    </label>
    </td>
  </tr>
  <tr>
    <td>
    <label class = "email1">
        <b>Email :</b><input type="text" name="email1" />
    </label>
    <label class="email2">    

        &nbsp;&nbsp;&nbsp;&nbsp;<b>Confirm Email :</b><input type="text" name="email2" />
    </label>
    </td>

  </tr>
  <tr>
    <td>
    <label>
    	<b>Website URL: </b><input type="text" name="user_website" />
    </label>
    </td>
  </tr>
  </tr>
  <tr>
    <td>
    <label>
    	<b>Country: </b><select id='countrySelect' name='country' onchange='populateState()'></select>
        					<select id='stateSelect' name='state'></select>
        					<script type="text/javascript">initCountry('US');</script>
    </label>
    </td>
  </tr> 
  <tr>
  	<td>
	<input type="hidden" name="process" value="1">
    <input type="submit" name="submit" value="Go!" />
    </td>
  </tr> 
</table>
</form>

</body>
</html>