What do I do with form data after I have validated and sanitized it?

Question

(I found this but still dont understand) {HTML form PHP post to self to validate or submit to new page}

I am sorry if this question is explained better in another place but I have been stuck for hours, have searched, and have just given up. I am going by the W3c website tutorial on how to validate, sanitize, and handle forms using PHP. All went well (At least I think it did) until it was time to do something with this data. I will show you the code now and further explain my position and problem after the code:

<form method="POST" name="signup" action="<?php echo     htmlspecialchars($_SERVER["PHP_SELF"]);?>">

<label for="first name"></label><input id="first name" name="first_name"    placeholder="First Name" type="text" value="<?php echo $firstname;?>" /> <span  class="error">* <?php echo $firstnameErr;?></span>

<label for="last_name"></label><input id="last name" name="last_name"   placeholder="Last Name" type="text" value="<?php echo $lastname;?>" />
<span class="error">* <?php echo $lastnameErr;?></span>
<br><br>


<label for="email"></label><input id="email" name="email" placeholder="Email"    type="text" value="<?php echo $email;?>" />
<span class="error">* <?php echo $emailErr;?></span>
<br /><br />


<label for="password"></label><input id="password" name="password"    placeholder="Create Password" type="password" />
<span class="error">* <?php echo $passwordErr;?></span>
<br /><br />

<label for="male"><strong>Male</strong></label> 
<input id="male" value="male" <?php if (isset($gender) && $gender=="male") echo   "checked";?> name="gender" type="radio" /> 
<label for="female"><strong>Female</strong></label> <input id="female" value="female"     

<?php if (isset($gender) && $gender=="female") echo "checked";?> name="gender" type="radio" />

<span class="error">* <?php echo $genderErr;?></span>
<br /><br />

<label for="submit">"I Agree To <a href="#">Terms And Conditions"</a></label> <input id="submit" value="Submit" type="submit" name="submit"/><br /><br />

<p><span class="error">* required field.</span></p>
<hr>

I am confused on many things. Should I keep the 'Form Action" as is, or should I change it to something like, "welcome.php". If I do change it to "welcome.php" do I still include the 'htmlspecialchars'? I am going to be using MSQLI. I am already able to connect to my database but how do I go about converting the users data into viable information for the server? Do I just go ahead and use the variables that I created in this HTML form? I know I need to put some kind of variables into a query string and then make sure I exit it as well. I am sorry if I pissed some of you off but I am just needing help. I dont want negative points but if I can receive some answers than I can handle a few bad points. Thanks for your help and happy holidays.

Below is my "welcome.php." It is actually called something different but for this moment it is "welcome.php". Thanks again.

  <?php

    $hostname="social89.db";
    $username="social89";
    $password="P!!";
    $dbname="social89";

  $db_conx = mysqli_connect($hostname, $username, $password) OR DIE ("Unable to
  connect to database! Please try again later.");

  if(mysqli_connect_errno()){
  echo mysqli_connect_error();
  exit();
  }

  $select = mysqli_select_db($db_conx,$dbname);

  $firstname= $_POST["first_name"];
  $lastname= $_POST["last_name"];
  $email= $_POST["email"];
  $password= $_POST["password"];
  $gender= $_POST["gender"];

  mysqli_query($db_conx,"INSERT INTO users (firstname, lastname, email, password, gender)
  VALUES ('$firstname', '$lastname', '$email', '$password', '$gender')");
  mysqli_close($db_conx);

  header("Location: ERASETHISprofile.php")
  ?>

score 1 · Answer 1 · edited May 23 '17 at 10:32

1

Ooh, where to begin.

At the beginning I guess.

"Post to self" refers to having the same script that renders the form receive the form data. The form action points back at the same php script using the server variable $_SERVER['PHP_SELF'].

This means you can do something like:

<?php 

if (!empty($_POST)) { // if $_POST isn't empty, the user submitted the form
    // validate 
    if ($validationPassed) { 
        // insert to db
    } else {
        // tell the user they messed up
        $error = 'Hey, you! Email address was incorrect.';
    }
}

//
?>

<html> ...

<?php if (isset($error)) { echo $error; } ?>

// form

The above is really basic. You'll want to set errors for specific fields failing validation to give the user more of a clue as to what to correct.

htmlspecialchars() - Convert special characters to HTML entities

In short, if you trust the input string, you don't need it. So "welcome.php" that has been typed manually by yourself into the document, is trusted, and doesn't need to have special characters converted - there aren't any in the string. If that text came from a user it could contain, for example, <h2>Hello</h2>. Without the use of this function, your page may render that Hello inside the H2.

Recommended reading for the next part: How can I prevent SQL injection in PHP?

At the moment you are vulnerable, because you are taking data from the form and are not validating or sanitizing it. Obligatory XKCD comic: http://xkcd.com/327/. In addition to the risk of SQL injection there is the risk of junk data ending up in your DB.

Validation in PHP: filter_var examples: http://www.php.net/manual/en/filter.examples.validation.php

edited May 23 '17 at 10:32

Community

1
1

answered Dec 24 '13 at 09:53

bcmcfc

25,966
29
109
181

Thanks for your reply. So is there two different ways you have to validate and sanitize the information? The "welcome.php" is what I was doing before I tried validating and sanitizing the "index.php" file with PHP.(The first code I had put down.) I really appreciate the links and will check those out as well. Also what should I be putting Under the FORMS ACTION? Should it be a path to another file sending it the forms data and then further sanitizing it and validating it? Like the "welcome.php"? And then once I send it there start validating and sanitizing it further ? – user3066599 Dec 24 '13 at 10:09
I really do appreciate your help and patience. – user3066599 Dec 24 '13 at 10:11
Well, it depends what you want the user experience to be. A common approach would be to use an external script (welcome.php), place state information from it into a session variable (`$_SESSION['success'] = true`) and redirect back to the original script, using the session data in the page. This is referred to as POST-Redirect-Get: http://stackoverflow.com/questions/4142809/simple-post-redirect-get-code-example – bcmcfc Dec 24 '13 at 10:20
Awesomeness. I really appreciate it. I am actually wanting it to be a social network. I have a long way to go I feel. – user3066599 Dec 24 '13 at 10:21
1

It takes time to learn new stuff. And there is a lot to learn. SO is an invaluable resource. There's a lot of stuff to look into when you get to grips with the basics: frameworks and the like, that help you structure your code better for maintenance and readability. Some further (sorry!) reading here: http://stackoverflow.com/questions/2119083/php-tutorial-that-is-security-accuracy-and-maintainability-conscious – bcmcfc Dec 24 '13 at 10:25
Thanks once more my friend. You have helped me tremendously. Best of wishes to you. – user3066599 Dec 24 '13 at 10:27
You have given me some great links. – user3066599 Dec 24 '13 at 10:27

What do I do with form data after I have validated and sanitized it?

1 Answers1