0

I am currently working on a project for a web development class I am taking in which I have to create a registration page for a marketing product and add user details to a database. I've got the basic code working but, after speaking with my teacher, I need to add some form of data validation to the website. I have tried marking the input fields as required in HTML5 as well as using a separate JavaScript Validator but nothing works, if I submit the form, my PHP script process without the data being validated.

My goal is for the data to validated directly on the form, so that error messages appear on the form itself versus on a separate page. I currently have a check in my PHP code to query the database for an already existing email and kill the script and echo an error but it does so on another page.

Below is the code I have so far with the JavaScript validator in place. I am still learning PHP and HTML so I'm lost as to what else I can try. Can anyone help?

HTML CODE

<!DOCTYPE HTML>
<html>
<head>
        <title>Registration</title>
        <script src="scripts/gen_validatorv4.js" type="text/javascript"></script>
</head>
<body>
    <div id="register">
        <fieldset style="width:30%"><legend>Registration Form</legend> <!-- Give the table a width of 30% and a title of Registration Form -->
            <table border="0"> <!-- Add border to table -->
            <tr>
            <form method="POST" action="registration.php" id="register"> <!-- Use POST to submit form data to registration.php -->
                <td>First Name</td><td> <input type="text" name="firstname" ></td> <!-- Input field for First Name -->
                </tr>
                <tr>
                <td>Last Name</td><td> <input type="text" name="lastname" ></td> <!-- Input field for Last Name -->
                </tr>
                <tr>
                <td>Address 1</td><td> <input type="text" name="address1" ></td> <!-- Input field for Address 1 -->
                </tr>
                <tr>
                <td>Address 2</td><td> <input type="text" name="address2"></td> <!-- Input field for Address 2 -->
                </tr>
                <tr>
                <td>City</td><td> <input type="text" name="city" ></td> <!-- Input field for City -->
                </tr>
                <tr>
                <td>State</td><td> <input type="text" name="state" ></td> <!-- Input field for State -->
                </tr>
                <tr>
                <td>Zip Code</td><td> <input type="text" name="zipcode" ></td> <!-- Input field for Zip Code -->
                </tr>
                <tr>
                <td>Phone Number</td><td> <input type="text" name="phonenumber" ></td> <!-- Input field for Phone Number -->
                </tr>
                <tr>
                <td>Email</td><td> <input type="text" name="email" ></td> <!-- Input field for Email -->
                </tr> 
                <tr>
                <td>Sign up to marketing emails?</td><td> <input type="radio" name="marketingaccept" value="yes"></td> <!-- Radio button to be checked if user wants to sign up for marketing emails -->
                </tr>
                <td><input id="button" type="submit" name="submit" value="Register"></td> <!-- Submit button -->
            </form>
            <script type="text/javascript">
            var frmvalidator  = new Validator("register");
            frmvalidator.EnableOnPageErrorDisplay();
            frmvalidator.EnableMsgsTogether();
            frmvalidator.addValidation("firstname","req","Please provide your first name");

            frmvalidator.addValidation("email","req","Please provide your email address");

            frmvalidator.addValidation("email","email","Please provide a valid email address");

            frmvalidator.addValidation("lastname","req","Please provide your last name");

            frmvalidator.addValidation("address","req","Please provide your address");
            </script>
            </tr>
            </table>
        </fieldset>
    </div>
</body>
</html>

PHP CODE

<?php

define('DB_HOST', 'localhost'); // Define database host
define('DB_NAME', 'andrewha_fhsuproject1'); // Define database name
define('DB_USER','*******'); // Define database username
define('DB_PASSWORD','********'); // Define database password

$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); // Connect to host or present an error if connection fails
$db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); // Connect to database or present an error if connection fails


function newregister() // Create function newregister()
{
    $firstname = trim($_POST['firstname']); // Grab data from the first name field and trim excess white space
    $lastname = trim($_POST['lastname']); // Grab data from the last name field and trim excess white space
    $address1 = trim($_POST['address1']); // Grab data from the address1 name field and trim excess white space
    $address2 = trim($_POST['address2']); // Grab data from the address2 name field and trim excess white space
    $city = trim($_POST['city']); // Grab data from the city field and trim excess white space
    $state = trim($_POST['state']); // Grab data from the state field and trim excess white space
    $zipcode = trim($_POST['zipcode']); // Grab data from the zipcode field and trim excess white space
    $phonenumber = trim($_POST['phonenumber']); // Grab data from the phonenumber field and trim excess white space
    $email = trim($_POST['email']); // Grab data from the email field and trim excess white space
    $marketingaccept =  $_POST['marketingaccept']; // Check to see whether the marketingaccept radio button is checked

    $sql="SELECT email FROM RegisteredUsers WHERE email='".$email."'"; // Look through existing emails to prevent duplication
    $resul=mysql_query($sql); // Perform above query
    $num = mysql_num_rows($resul); // Check above query to see if any rows match
    if ($num !=0){ // If a match is found...
        die("Sorry, you can only register once!.");  // ...the script is killed and an error is presented.
}   else // If no match is found, the script continues.
        $query = "INSERT INTO RegisteredUsers (firstname,lastname,address1,address2,city,state,zipcode,phonenumber,email,marketingaccept) VALUES ('$firstname','$lastname','$address1','$address2','$city','$state','$zipcode','$phonenumber','$email','$marketingaccept')"; // Create variable to insert  Grabbed data to database table and corresponding columns
        $data = mysql_query ($query)or die(mysql_error()); // Run above query or kill the script if an error is presented
    if($data) // Verify $data was run
    {
    header('Location: thankyou.html'); // Redirect to thankyou.html
    exit(); // End script
    }
}


if(isset($_POST['submit'])) // Check to see if submit button was hit...
{
    newregister(); // ...and go to newregister()
}
?>
adh1310
  • 3
  • 5
  • check http://www.w3schools.com/js/js_validation.asp for front end validation, and in php check if the variable is set and it is in desired format then process stuffs – Vigikaran Mar 09 '16 at 17:17
  • This is the best use for javascript validation http://jqueryvalidation.org/ and you can use php framework for fast development like basic framework https://www.codeigniter.com/ – Santosh Ram Kunjir Mar 09 '16 at 17:22
  • Please update your question with the front end validation included. You mentioned it wasn't preventing form submission, but the only way we can help with this is to see the problem code. – Alexander Kerchum Mar 09 '16 at 17:30
  • You need share *scripts/gen_validatorv4.js* –  Mar 09 '16 at 17:38

1 Answers1

0

I don't know if you underestimate or misunderstand the results of validation so forgive me if I am long winded here.

Your validation on the client is exactly that - it will only validate certain conditions are met on the client. Once the data is sent to the server, without validation/sanitization, you risk someone tampering and thrashing your database, or worse.

It would be possible for example to skip your client validation entirely and just enter an address in the address bar or via a script that would pretend to be a web browser sending data to your server.

The way your code is written above, the server will receive data and it can be engineered (rather easily) via a single input box to delete all the data in your database, or pending the server configuration, possible to destroy your server.

An article elsewhere on stackoverflow should help discuss this subject in greater detail. I just did a quick search and found this one: What's the best method for sanitizing user input with PHP? Read some of the answers.

Now... with regards to validating your form data, I recommend you use jquery. It is a javascript add on library (meaning its entirely written in javascript) but it is cross browser compatible (there are variations in how javascript in some browsers handles data so your plain javascript might or might not work on all browsers. However code written in jquery will work in all browsers).

The simplicity of validating your form data could be done by adding a

class="required"

in to each input tag in your form.

Then, with jquery, you could perform something like the following

// e will contain input field names of input tags that require but are missing data
var e=new Array();
// Get all input boxes with class "required", check the data input
// if the input length is less than one character in length, it
// will add the id tag to the "e" array.
$("input.required").each(function(){
if( $(this).val().length<1 )
{
    e.push( $(this).prop("id") );
}
});

// If e array has more than zero elements, it means more than zero input
// input tags are missing data and thus an alert is shown
if( e.length>0 )
{
 alert( "The following data fields are missing data:\n"+e.join(", ") );
}
Community
  • 1
  • 1
  • 1
    You should never validate only with Javascript. Anyone can manipulate with client side data, so you should always check server side as well – MortenMoulder Mar 09 '16 at 17:40