POST Server side form validation

Question

Having some issues telling exactly where I am making an error from the php script below. It gets data via post from a HTML form. Then am trying some validations before inserting them into a database. Anyone spot anything?

<?php
if( isset( $_POST['submit_form'] ) )
{

validate_data($data)
{
  $data = trim($data);
  $data = stripslashes($data);
  $data = strip_tags($data);
  $data = htmlspecialchars($data);
  $data = mysqli_real_escape_string($data);
 return $data;
}
 $address = validate_data($_POST['name']);
  $address = validate_data($_POST['address']);
  $zipcode = validate_data($_POST['zipcode']);
  $county = validate_data($_POST['county']);
  $phone = validate_data($_POST['phone']);
  $email = validate_data($_POST['email']);
  $password = validate_data($_POST['password']);
  $pwVerified = validate_data($_POST['pwVerified']);

 //create connection

 // Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$sql = "INSERT INTO company (name, address, zipcode, county, phone, email, password, pwVerified )
VALUES 
                ( '$name', '$address', '$zipcode','$county','$phone', '$email', '$password', '$pwVerified')";

if ($conn->query($sql) === TRUE) {

   // echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();

}else 
 { echo "there is a problem";}
include 'sign.php';

?>

yeah this `$data = mysqli_real_escape_string($data);` and no idea if your POST arrays contain values or not. That function requires a db connection passed to it. `$data = mysqli_real_escape_string($conn, $data);` (for one thing). — Funk Forty Niner, Jul 01 '16 at 13:58
`validate_data($data) ` supposed to be a function : `function validate_data($data)` — Arsh Singh, Jul 01 '16 at 13:58
see the first two comments. Plus, I wouldn't use that at all if I were you. Use a prepared statement and do away with all that. — Funk Forty Niner, Jul 01 '16 at 14:02
While you can define functions inside an IF it is a lot more logical at least in this case to NOT do that. and it requires the `function` keyword in front of it as well — RiggsFolly, Jul 01 '16 at 14:02
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared statement and parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Jul 01 '16 at 14:03
possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Funk Forty Niner, Jul 01 '16 at 14:04
You test the result of creating a database connection **but you dont actually make a database connection** — RiggsFolly, Jul 01 '16 at 14:05
Some sensible code indentation would be a good idea. It help us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. — RiggsFolly, Jul 01 '16 at 14:07
You did say ___Anyone spot anything?___ Should we stop now then or do you want all the ___Anythings___ Or should we just close this as a TYPO — RiggsFolly, Jul 01 '16 at 14:08
@BobMwenda and you think that this is going to work? `$data = mysqli_real_escape_string($data);` — Funk Forty Niner, Jul 01 '16 at 14:10
It looks as though you are storing passwords in the database in plain text. Which isn't advisable. — Progrock, Jul 01 '16 at 14:26

Bob Mwenda · Answer 1 · 2016-07-01T14:23:35.837

-1

Should be function validate_data($data). Comment 1 and 2. Thank you.

<?php
if( isset( $_POST['submit_form'] ) )
{

function validate_data($data)
{
  $data = trim($data);
  $data = stripslashes($data);
  $data = strip_tags($data);
  $data = htmlspecialchars($data);
  $data = mysqli_real_escape_string($conn, $data);
 return $data; //the rest

edited Jul 01 '16 at 14:23

answered Jul 01 '16 at 14:10

Bob Mwenda

89
1
9

`$data = mysqli_real_escape_string($data);` that will never work, believe me when I say this. – Funk Forty Niner Jul 01 '16 at 14:10
@Fred-ii- why not? – Progrock Jul 01 '16 at 14:12
@Progrock Do I really have to tell you? If I do, then you don't know how that works. – Funk Forty Niner Jul 01 '16 at 14:12
Funny because it worked for me. Or else how should it be? Kindly? – Bob Mwenda Jul 01 '16 at 14:12
@BobMwenda I find that rather hard to believe. – Funk Forty Niner Jul 01 '16 at 14:13
@BobMwenda the most funny thing is , you posted an question and then you picked an answer from comment and posted it as answer and saying it should be a function. – Arsh Singh Jul 01 '16 at 14:14
Read the manual on that function http://php.net/manual/en/mysqli.real-escape-string.php - Procedural `string mysqli_real_escape_string ( mysqli $link , string $escapestr )` and you have one parameter. – Funk Forty Niner Jul 01 '16 at 14:14
@Fred-ii- that's a better and less pompous comment. – Progrock Jul 01 '16 at 14:17
@BobMwenda I noticed you modified your answer to contain the db connection to the escape function, thank you. However you know that you can do away with all of that and just use a MySQLi_ or PDO prepared statement ;-) – Funk Forty Niner Jul 02 '16 at 14:14
@Fred-ii- is my method secure from SQL injections? Do I need to have some extra layer for a starter? – Bob Mwenda Jul 02 '16 at 14:35
@BobMwenda To a certain point, yes. However and if you eventually use a (password) hashing method such as `password_hash()`, that method of yours may do more harm than good. A prepared statement takes care of all that and takes it into consideration. – Funk Forty Niner Jul 02 '16 at 14:37

POST Server side form validation

1 Answers1