validating data in PHP

Question

I have a form like below and I want to get some input from the user. My goal is to validate the data before submitting into database. My question is how do I do this ?

<form action="../actions/insertcomment.php" method="post">
    <p class ="ctitle">Leave a Comment:</p>
    <p><label for="postid"><b>PostID:</b></label>
       <input type="text" id="postid" name="postid" maxlength="5" /> <br/>

        <label for="name"><b>Name:</b></label>
        <input type="text" id="name" name="name" maxlength="25" /> <br/>

        <label for="email"><b>Email:</b></label>
        <input type="text" id="email" name="email" maxlength="50" /> <br/>

        <label for="website"><b>Website:</b></label>
        <input type="text" id="website" name="website" maxlength="25" /> <br/>

        <label for="content"><b>Comment:</b></label>
        <textarea id="content" name="content" cols="10" rows="4" maxlength="100"></textarea> <br/>

        <input type="submit" value="Submit Comment" name="submit_comment" /> <br/>
    </p>
</form>

and my insercomment.php is as follows:

<html>
<link rel = "stylesheet" type = "text/css"
          href = "../common/style.css" />
<?php
include("../common/dbconnect.php");
$con=new dbconnect();
$con->connect();
error_reporting(E_ALL);

 //$postid= $_GET['id'];

if($_POST) {

    $postid= $_POST['postid'];
    $users_name = $_POST['name'];
    $users_email = $_POST['email'];
    $users_website = $_POST['website'];
    $users_comment = $_POST['content'];

    $postid = htmlspecialchars($postid);
    $users_name = htmlspecialchars($users_name);
    $users_email = htmlspecialchars($users_email);
    $users_website = htmlspecialchars($users_website);
    $users_comment = htmlspecialchars($users_comment);



$sSql = "INSERT INTO comments
 ( post_id,name, email, website,content)
 VALUES ( $postid, '$users_name',
        '$users_email', '$users_website', '$users_comment' )";

    //echo $sSql;
    mysql_query($sSql);
    //$update=mysql_affected_rows();
    //echo "<h2>$update Record Inserted</h2><br />";
    echo '<h2> Your Comment is submitted</h2><br />';
}

?>

Here I am not using " method="post"> Any code or example for this kind is appreciated.

score 1 · Answer 1 · answered Jul 14 '12 at 13:10

1

The best way would be to check if the data is valid, befor the sql statement.

Pseudocude:

$data1 = $_POST['xyz']; //text
$data2 = $_POST['abc']; //number
...

errors = array
if(data1 is not text) errors[] = data1 must be text
if(data2 is not number) errors[] = data2 must be number
...

if(count(errors) > 0) return errors
else

do the sql insert
return "thank you message"

answered Jul 14 '12 at 13:10

helle

11,183
9
56
83

and as John Wheal postet, you should check for sql-injection as well!! – helle Jul 14 '12 at 13:14

score 1 · Answer 2 · answered Jul 14 '12 at 13:11

1

You should certainly sanitize your inputs to prevent injection:

    $postid= mysql_real_escape_string($_POST['postid']);

This will make all your inputs safe to insert into the database.

answered Jul 14 '12 at 13:11

John Wheal

9,908
6
29
39

Wern Ancheta · Answer 3 · 2012-07-14T13:24:20.113

You can use filter_input to validate data in php. You can read more about it here:

filter_input in php

Here's an example on how to use it to validate an email:

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);

Where INPUT_POST is the method, email is the name of the field ($_POST['email']) and FILTER_VALIDATE_EMAIL is the validation option.

You might want to consider using prepared statements in mysqli or pdo to make your application more secure.

To check if a variable has a value you can use the function empty:

if(!empty($_POST['email']){
  //do stuff
}

You can also add client-side validation. A good library is the liveValidation which as the name suggests validates user input as they type so that the user won't have to wait for the page to refresh before they get feedback whether their form has been successfully submitted or not.

score 1 · Answer 4 · edited May 23 '17 at 10:09

1

My experience says that you should check your input with if-else statement before doing an insert to DB. The most important thing is to use prepared statement. Don't pass raw strings like that. Always use prepared statement for your forms.

Refer this: Best way to prevent SQL Injection

edited May 23 '17 at 10:09

Community

1
1

answered Jul 14 '12 at 13:20

emeraldhieu

9,380
19
81
139

score 1 · Answer 5 · answered Dec 28 '12 at 06:18

I suggest you use sanitize the strings for SQL injections using mysql_real_escape_string(). Validate using if else statements. Fore example

if ($_POST['name']...) 
{
    echo "fill in those fields!";
}
else
{
    do stuff...
}

By the way you should be using a PDO prepared statement and not echoing HTML with PHP.

score 0 · Answer 6 · answered Jul 14 '12 at 13:13

0

You can do like this :-

if(isset($_POST))
{
     if($_POST['postid']!="" && $_POST['name']!="" &&.....)
     {
         //do your insertion here 
     }
     else
       echo "oops !! Something is missing";
}

answered Jul 14 '12 at 13:13

Rakesh Shetty

4,548
7
40
79

validating data in PHP

6 Answers6