PHP form validation on same page with external processing

Question

I am trying to wrap up this contact/quote form which has same page validation but external processing. I have set up a variable to go in the form action and the variable/url changes from the same page to the processing page when the form validates. However, it is taking two clicks on the submit button to process the form after all the required fields have been filled in: All the required fields will be filled in, I click submit, the page reloads with the saved data variables and then when I hit submit agin, it finally goes through, sending the email and loading the thankyou page. I have searched the posts here and tried multiple things but have not found a solution. I am definitely not a php expert, still a newbie so this may not be the best way to accomplish this but I'd appreciate any ideas on how to finish this up. Here is what I have:

<?php

....

if (empty($Name) && empty($Company) && empty($Address1) && empty($City) && empty($State) && empty($Phone))
{
    echo '<p class="tan">The fields marked with an * are required.</p>';
$Process = 'samepageurl'; 

}

/*else if (empty($Name) || is_numeric($Name))
{
echo '<p class="tan"><b>Please enter your name.</b></p>';
}*/

else if (empty($Company) || is_numeric($Company))
{
echo '<p class="tan"><b>Please enter your company name.</b></p>';
$Process = 'samepageurl'; 

}

else if (empty($Address1) || is_numeric($Address1))
{
echo '<p class="tan"><b>Please enter your address.</b></p>';
$Process = 'samepageurl'; 

}

else if (empty($City) || is_numeric($City))
{
echo '<p class="tan"><b>Please enter your city.</b></p>';
$Process = 'samepageurl'; 

}

else if (empty($State) || is_numeric($State))
{
echo '<p class="tan"><b>Please enter your state.</b></p>';
$Process = 'samepageurl'; 

}

else if (empty($Phone) || ctype_alpha($Phone))
{
echo '<p class="tan"><b>Please enter your phone number.</b></p>';
$Process = 'samepageurl'; 

}

else if (strlen($Phone) < 10 || strlen($Phone) > 12 || ctype_alpha($Phone) || ctype_space($Phone))
{
echo '<p class="tan"><b>Please enter a phone number with an area code.</b></p>';
$Process = 'samepageurl'; 

}

else if (isset($Name) && isset($Company) && isset($Address1) && isset($City) && isset($State) && isset($Phone))
{
$Process = 'processingurl';
}
?> 

<form action="<?php echo $Process; ?>" method="post" class="print"  >
<p><input type="hidden" name="recipient" value="responses@url.com"/> 
<input type="hidden" name="subject" value="Web Site Response"/>
<input type="hidden" name="redirect" value="thankyou.html"/></p>

... form fields ...

</form>    

Thank you in advance!

Answer 1

First check for missing variables, then extract and validate the variables, then serve content based on them.

<?php
  function verifyPostContains(&$req) {
    global $_POST;
    $missing = array();
    foreach($req as $var => $_) {
      if(!isset($_POST[$var])) {
        $missing[] = $var;
      }
    }
    return $missing;
  }

  $requirements = array('name'=>'','city'=>'','state'=>'',...);
  $missing = verifyPostContains($requirements);

  if(count($missing)>0) {
    $content = formErrorReport($missing);
    sendHeaders();
    echo $content;
    exit();
  }

  // extract, making sure to sanitize
  $name = sanitize($_POST["name"]);
  ...

  $errorHtml = array();
  // validate by reference. Effectively call testName($name).
  if(failsValidation($name, "testName")) {
    $errorHtml [] = generateError(NAME_ERROR, $name);
  } else { $requirements["name"] = $name; }
  if(failsValidation($city, "testCity")) {
    $errorHtml [] = generateError(CITY_ERROR, $city);
  } else { $requirements["city"] = $name; }
  ...

  if(count($errorHTML)>0) {
    generateErrorPage($requirements, $missing, $errorHTML);
  } else { processForm($requirements); }
?>

this code assumes you have functions to do the various bits that need to be done, and has some string constants for generating error HTML.

As a newcomer you may want to google for some tutorials that explain doing form processing using PHP at the server, and JavaScript at the client. If you find a tutorial that gives you code that echos errors while it's testing the data, such as you code does, move along. It's not a good tutorial. If you find one that stops after it finds one error, move along too. If you find one that tells you to make sure the values are right in JavaScript, and then says "we already validated this at the client so we use the values directly in PHP", move along, too. Look for a tutorial that explains:

• ensuring there's data in all the form fields, using JavaScript, so the submit button is disabled until there's data for all the fields.
• ensuring the data matches your criteria, in PHP, so that people who just POST to your server without ever using your page don't get away with injecting all manner of fun stuff they weren't supposed to be able to do
• you generate a page with all the errors explained, if there are any, and the form repopulated with the wrong data, but highlighted as wrong
• you process the post request if there are no errors.

(Bonus points if the tutorial explains that a POST request is not required to actually ever generate page content as a response, other than a header that indicates whether or not the POST call was accepted or rejected.)