1

So I need help with a required form field. I want the 3 fields (exam_id, subject, exam_date) to be required fields when filling out the PHP form. So when the insert button is hit, if a field is left blank and error will display or the action won't complete unless every field is filled in. I'm using all php, no HTML and no, I don't want to redo my form as HTML calling the php, I want it like this. There's no security problems either, this is just a simple project. My code:

<?php
echo '<link rel="stylesheet" type="text/css" href="css/tables.css" />';

$con = mysql_connect("localhost","root");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("StudentExams", $con);

if (isset($_POST['update']))
{
$UpdateQuery = "UPDATE Exam SET exam_id='$_POST[exam_id]', subject='$_POST[subject]', exam_date='$_POST[exam_date]' WHERE exam_id='$_POST[hidden]'";
mysql_query($UpdateQuery, $con);
};

if (isset($_POST['delete']))
{
$DeleteQuery = "DELETE FROM Exam WHERE exam_id='$_POST[hidden]'";
mysql_query($DeleteQuery, $con);
};

if (isset($_POST['insert']))
{
$InsertQuery = "INSERT INTO Exam (exam_id, subject, exam_date) VALUES ('$_POST[uexam_id]','$_POST[usubject]','$_POST[uexam_date]')";
mysql_query($InsertQuery, $con);
};

$sql = "SELECT * FROM Exam";

$Data = mysql_query($sql,$con);

echo "<table id='size' border='1'>
<tr>
<th>Exam_ID</th>
<th>Subject</th>
<th>Exam_Date</th>
</tr>";
while($record = mysql_fetch_array($Data))
{
echo "<form action=examisud.php method=post>";
echo "<tr>";
echo "<td>" . "<input type=text name=exam_id value=" . $record['exam_id'] . " </td>";
echo "<td>" . "<input type=text name=subject value=" . $record['subject'] . " </td>";
echo "<td>" . "<input type=text name=exam_date value=" . $record['exam_date'] . " </td>";
echo "<td>" . "<input type=hidden name=hidden value=" . $record['exam_id'] . " </td>";
echo "<td>" . "<input type=image name=update value=update id=submit src=images/update.png" . " </td>";
echo "<td>" . "<input type=image name=delete value=delete id=submit src=images/delete.png" . " </td>";
echo "</tr>";
echo "</form>";
}
echo "<form action=examisud.php method=post>";
echo "<tr>";
echo "<td><input type=text name=uexam_id></td>";
echo "<td><input type=text name=usubject></td>";
echo "<td><input type=text name=uexam_date></td>";
echo "<td>" . "<input type=image name=insert value=insert id=submit src=images/insert.png" . " </td>";
echo "</form>";
echo "</table>";



echo "<a href='ExamForm.html'> Back to main page </a>";

mysql_close($con);

?>

Thanks in advance for anyone who can help me out! I feel there is either a very simple solution i'm missing or it's very convoluted due to the absence of a generic HTML form.

user3473793
  • 17
  • 4
  • 2
    You are **wide open** to SQL injection attacks, and you will be hacked if you haven't been already. Please use prepared / parameterized queries to prevent this from happening. See also: [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/) – Amal Murali Mar 28 '14 at 18:30
  • 1
    I see *lots* of HTML. Just because it is wrapped in PHP echo statements does **not** mean you are not using it – John Conde Mar 28 '14 at 18:32
  • `I'm using all php, no HTML` you are using a bunch of html you are just having your php echo it for some reason. – Pitchinnate Mar 28 '14 at 18:32
  • Amal, this is a personal project, it will stay all on my own wamp server. And I meant that i'd have the HTML wrapped in PHP without the form being entered on a HTML page. I looked up lots of solutions here and all of them had the html form filled in on a html page whereas I have my html page take me to the php page where all the fields can be inserted, updated and deleted. – user3473793 Mar 28 '14 at 20:20

2 Answers2

1

Just do a check on the top with isset

if(!isset($_POST['exam_id'],$_POST['subject'],$_POST['exam_date']))
{
 echo "These fields are required ! Please fill it up";
 header("location:backtoform.php");exit;
}

Warning : Since you are passing the $_POST parameters directly onto your query, you are prone to SQL Injection attacks.

This(mysql_*) extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. Switching to PreparedStatements is even more better to ward off SQL Injection attacks !

Shankar Narayana Damodaran
  • 68,075
  • 43
  • 96
  • 126
  • I won't be attacked, it's simple a personal project which won't go any further than my own wamp server at home! And as for your answer, i'm not sure where to put this in my file? I'm a newb as you probably know, would I just post it directly at the top above the if issset update statement? Thanks! – user3473793 Mar 28 '14 at 20:24
  • Yes exactly after the `echo '';` line – Shankar Narayana Damodaran Mar 29 '14 at 02:05
1

isset( ... ) is only used to see if a field is set or not. It doesn't care if the value of the field is empty.

You need to use empty( .. ) instead. It would return true only if the field was ever set and is not empty. Two apples with one shot.

Across all your if statements, use !empty. Maintain an $error variable and initialize it to FALSE. Whenever an error occurs, set $error to TRUE. In the end, perform the required operation only when $error == FALSE.

$error = false;
    if (  !empty($_POST['update']   ){
    // stuff
    }
    else {
    // display error message
    $error=true;
    }

if(!$error){
// operations
}

This way you can neatly separate validations from operations.

Sasanka Panguluri
  • 3,058
  • 4
  • 32
  • 54
  • 3
    Simply checking empty is sufficient. the isset check is redundant. `if(!empty($_POST['update']))` – Frank Farmer Mar 28 '14 at 18:37
  • @SasankaPanguluri Hey, i'm a newb to all of this as you can probably tell, could you maybe take one of my if statements and wrap it around these empty validations for just a guideline please? Thanks for your help anyway if you can't. – user3473793 Mar 28 '14 at 20:55