0

When I submit an empty form the success message is displayed and am not sure why. It shouldn't pass the first if statement if anything is left blank, why is it displaying this?

I previously had the if statement use variables but then changed them because of undefined index errors. A form with any missing fields should display the error message shown in the code

php:

<?php
    require_once 'db/connect.php';
    $error='';
    $success='';

    if (isset($_POST['submit'])) {  

        if ( (isset($_POST['Forename'])) && (isset($_POST['Surname'])) && (isset($_POST['Gender'])) && (isset($_POST['YearGroup'])) ) {
            /*print_r($_POST);*/

            $forename = $_POST['Forename'];
            $surname = $_POST['Surname'];
            $gender = $_POST['Gender'];
            $yeargroup = $_POST['YearGroup'];

            //To protect MySQL injection
            $forename= stripslashes($forename);
            $surname = stripslashes($surname);
            $forename = mysqli_real_escape_string($con, $forename);
            $surname = mysqli_real_escape_string($con, $surname);

            if ($teacher_form = $con->query("SELECT Form FROM teacher WHERE Username = '" . $_SESSION['Username'] . "'")) {
                $row1 = $teacher_form->fetch_assoc(); 
                $form = $row1['Form'];
                $con->query("INSERT INTO student (Forename, Surname, Gender, Year_group, Form) VALUES (\"" . $forename ."\", \"" . $surname . "\", \"" . $gender . "\", " . $yeargroup . ", \"" . $form . "\")   ");
                $success = 'Student has been successfully added to the database';                           
            }
        }   

        else {
            $error='All fields must be completed';
        }   
    }           
?>

HTML form:

<?php
    session_start();
    require_once 'db/checkuserloggedin.php';
    include 'db/header.php';
    include 'addstudent.php';
?>

<!DOCTYPE html>
<html>
    <head>
        <title>Add students</title>
    </head>

    <body>

        <div id="logoutbutton">
            <button class="btn" onclick="location.href='logout.php'">Logout</button>'
        </div>

        <link rel="stylesheet" type="text/css" href="styles.css">
            <?php echo "<form method =\"POST\">"; ?>
                <h3> Add student </h3>
                    <table>                             
                        <tr>            
                            <td>Forename</td>
                            <td><input type="text" name="Forename"></td>
                        </tr>

                        <tr>                
                            <td>Surname</td>
                            <td><input type="text" name="Surname"></td> 
                        </tr>

                        <tr>            
                            <td>Gender</td>
                            <td><select name ="Gender"> 
                              <option value="" style="display:none;"></option>
                              <option> M </option>
                              <option> F </option>                                                              
                              </select> <br>                        
                            </td>                   
                        </tr>

                        <tr>
                            <td>Year group</td>
                            <td><select name ="YearGroup">
                            <option value="" style="display:none;"></option>            
                            <option> 7 </option>
                            <option> 8 </option>
                            <option> 9 </option>
                            <option> 10 </option>
                            </select> <br>
                        </tr>
                    </table>

                <input type="submit" name="submit" value ="Add">
                <input type="reset" value ="Reset"> <br>
                <span class="error"><?php echo $error;?></span> 
                <span class="error"><?php echo $success;?></span>                   
            <?php echo "</form>"; ?>
    </body>
</html>
Charley Baker
  • 23
  • 5

2 Answers2

0

Use empty function and replace && operator with || 

if (isset($_POST['submit'])) {  

            if ( (empty($_POST['Forename'])) || (empty($_POST['Surname'])) || (empty($_POST['Gender'])) || (empty($_POST['YearGroup'])) ) {
varunsinghal
  • 329
  • 4
  • 12
0

isset returns false only if the variable is not defined or is null.

Your input fields always exist in your form so users will post empty values even if they don't populate every field. Empty and null are different in PHP.

It is a good practice to check that every key of the $_POST array is defined as you would expect. It protects you from XSS vulnerabilities.

But you also want to check that the defined keys contain a non-empty value. I would recommend you to use the following check for every input:

if (isset($_POST['Forename']) && $_POST['Forename'] !== '') {
    ...
}

There is also an empty function that does both these checks in one call:

if (!empty($_POST['Forename'])) {
    ...
}

Note that the latter doesn't work if your user enters a 0 (zero) in one of the fields as this is considered as an empty value.

If one of your fields can potentially contain a valid 0 value (e.g. number of children, years of experience...), fall back a combination of isset($var) and $var !== ''

This post may give you a clearer explanation.

Community
  • 1
  • 1
Alexandre Leprêtre
  • 320
  • 4
  • 10