Validating the form from redirecting it to next page in php

Question

I have created a form where user enters a number and month. When the number and month entered is not stored in database it should display a alert box saying details is not valid. iF if the details matches it as to redirect it to next page.My code redirects to next page if the details doesnt match too. how to solve this. Here is the code

<div id="col1" align="center"><br />
    <form method="post" action="modifypay3.php">
        <label type="text" name="name" maxlength="50" size="30" class="label">Enter the Membership Number which You want to edit</label><br />
        <input type="text" name='uid' placeholder="enter Membership Number" class="input" size="40"/><br />
        <span class="field">(* Required field)</span><br /><br />
        <label type="text" name="month" maxlength="50" size="30" class="label">Select Month in which u want to edit</label><br />
        <select name="month"  placeholder="" class="input"  style="width: 380px;" >
            <option value="January">January</option>
            <option value="February">February</option>
            <option value="March">March</option>
            <option value="April">April</option>
            <option value="May">May</option>
            <option value="June">June</option>
            <option value="July">July</option>
            <option value="August">August</option>
            <option value="September">September</option>
            <option value="October">October</option>
            <option value="November">November</option>
            <option value="December">December</option>
        </select><br/><br/>
        <input type="submit" name="submit" value="SUBMIT" class="button"><br /><br /><br /><br />
    </form>
</div>

<?php
mysql_connect("localhost","root","");
mysql_select_db("anthonys");

if(isset($_POST['submit'])) {
    $uid= $_POST['uid'];

    if( ! ctype_alnum($uid) )
        die('invalid id');

    $month=$_POST['month'];
    $query = "SELECT uid,month FROM `payment` WHERE uid ='$uid' and month='$month'";
    $run = mysql_query($query);

    if(mysql_num_rows($run)==1) {
        echo "<script>window.open('modifypay3.php?uid=".$uid."','_self')</script>";
    } else {
        echo "<script>alert('Membership No is Invalid!')</script>";
    }
}
?>

your code is vulnerable to sql injection ...and you are using outdated mysql_* function read this http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/14110189#14110189 — NullPoiиteя, Jun 04 '14 at 05:53
sql injection,depreciated function usage (mysql*),structural problems (usage of javascript with in php) ..google things to gain knowledge — coolguy, Jun 04 '14 at 05:55

score 3 · Answer 1 · answered Jun 04 '14 at 06:36

3

In your form action call modifypay3.php page

<form method="post" action="modifypay3.php">

Edit the form action like this

<form method="post" action="#">

answered Jun 04 '14 at 06:36

Jarachanthan Ratnakumar

656
13
20

score 0 · Answer 2 · answered Jun 04 '14 at 06:25

0

replace

<form method="post" action="modifypay3.php">

to

 <form method="post" action="">

answered Jun 04 '14 at 06:25

Ezhil

996
8
13

score 0 · Answer 3 · answered Jun 04 '14 at 07:26

<div id="col1" align="center"><br />
    <form method="post" action="">
        <label type="text" name="name" maxlength="50" size="30" class="label">Enter the Membership Number which You want to edit</label><br />
        <input type="text" name='uid' placeholder="enter Membership Number" class="input" size="40"/><br />
        <span class="field">(* Required field)</span><br /><br />
        <label type="text" name="month" maxlength="50" size="30" class="label">Select Month in which u want to edit</label><br />
        <select name="month"  placeholder="" class="input"  style="width: 380px;" >
            <option value="January">January</option>
            <option value="February">February</option>
            <option value="March">March</option>
            <option value="April">April</option>
            <option value="May">May</option>
            <option value="June">June</option>
            <option value="July">July</option>
            <option value="August">August</option>
            <option value="September">September</option>
            <option value="October">October</option>
            <option value="November">November</option>
            <option value="December">December</option>
        </select><br/><br/>
        <input type="submit" name="submit" value="SUBMIT" class="button"><br /><br /><br /><br />
    </form>
</div>

<?php
mysql_connect("localhost","root","");
mysql_select_db("anthonys");
if(isset($_POST['submit'])) {
    $uid = trim($_POST['uid']);

    if( !ctype_alnum($uid) )
        die('invalid id');

    $month=trim($_POST['month']);
    $query = "SELECT `uid`,`month` FROM `payment` WHERE `uid` ='".$uid."' and `month`='".$month."' LIMIT 1";
    $run = mysql_query($query);

    if(mysql_num_rows($run)==1) {
        header("Location:modifypay3.php?uid=".$uid."");
    } else {
        echo "<script>alert('Membership No is Invalid!')</script>";
    }
}
?>

Validating the form from redirecting it to next page in php

3 Answers3