PHP: very basic validation

Question

So I'm trying to compare a $_POST value to my database and if it matches then echo 'Already taken.Input another'. But it doesn't seem to work..So I'm trying to compare a $_POST value to my database and if it matches then echo 'Already taken.Input another'. But it doesn't seem to work..

//if form has been submitted process it
if(isset($_POST['submit'])){


    //collect form data
    extract($_POST);

    //very basic validation

if($idnumber ==''){
        $error[] = 'Please enter the ID Number.';
    }

    if($password ==''){
        $error[] = 'Please enter the password.';
    }

    if($passwordConfirm ==''){
        $error[] = 'Please confirm the password.';
    }

    if($password != $passwordConfirm){
        $error[] = 'Passwords do not match.';
    }

    if($fullname ==''){
        $error[] = 'Please enter the Full Name.';
    }
    if($role ==''){
        $error[] = 'Please select a role type.';
    }

$idmatch=$mysqli->query('SELECT idNUMBER from members where idnumber=$idnumber');
if (mysqli_num_rows($idmatch)==1) {
  echo'Id number already taken';
}?>

`idNUMBER` and `idnumber` may not be the same on some servers. — Funk Forty Niner, Nov 25 '14 at 22:14
You can't interpolate variables in a string with single quotes. That's a bad idea anyways, because it leaves you vulnerable to SQL injection. You should be using bound parameters instead. See http://stackoverflow.com/q/60174/3794472 — Jeremiah Winsley, Nov 25 '14 at 22:16
You need to check for errors. I.e. `if(!$result = $mysqli->query($idmatch)){ die('There was an error running the query [' . $mysqli->error . ']'); }` - Plus, make sure the id number is an int and not a string. — Funk Forty Niner, Nov 25 '14 at 22:25

score 1 · Answer 1 · answered Nov 25 '14 at 22:18

1

I believe the sql is case sensitive! You are using "idNUMBER" and then filtering using "idnumber" .

answered Nov 25 '14 at 22:18

Carlos Teixeira

111
9

@meda http://stackoverflow.com/a/2009011/ and depending on database collation. See also http://dev.mysql.com/doc/refman/5.0/en/identifier-case-sensitivity.html – Funk Forty Niner Nov 25 '14 at 22:19
your right fred, I guess I was thinking about the SQL syntax itself – meda Nov 25 '14 at 22:21
@meda OP's problem could be a mix of many things. Something OP is not checking for is errors on the query. – Funk Forty Niner Nov 25 '14 at 22:23
Carlos, not on Windows. If OP is not Windows, then that will not apply. Which is why I said [in a comment](http://stackoverflow.com/questions/27137729/php-very-basic-validation#comment42773562_27137729) under OP's question being: *"idNUMBER and idnumber may not be the same on some servers."* – Funk Forty Niner Nov 25 '14 at 22:26
I know , it's the can of worm @Fred-ii- ;) – meda Nov 25 '14 at 22:28
@meda Haha! You said it ;) Plus, OP has a missing brace. The can is getting bigger. – Funk Forty Niner Nov 25 '14 at 22:28
@meda Yep, OP is nowhere to be found. This one's dead in the water, where all the fishys have eaten up those big juicy worms. – Funk Forty Niner Nov 26 '14 at 00:05

score 0 · Answer 2 · answered Nov 25 '14 at 22:17

I never use extract, it's not really recommended, especialy with POST values.

I suggest you to use the post array directly and use isset() to check if it has a value:

if(!isset($_POST['idnumber']){
    $error[] = 'Please enter the ID Number.';
}

if(!isset($_POST['password']){
    $error[] = 'Please enter the password.';
}

if(!isset($_POST['passwordConfirm']){
    $error[] = 'Please confirm the password.';
}

if($_POST['password']!= $_POST['passwordConfirm']){
    $error[] = 'Passwords do not match.';
}

if(!isset($_POST['fullname']){
    $error[] = 'Please enter the Full Name.';
}
if(!isset($_POST['role']){
    $error[] = 'Please select a role type.';
}

You should also prepare your query, or at least escape it.

PHP: very basic validation

2 Answers2