1

I am accepting Permanent Account Number (pan) from the user and before submitting, I am doing a check if the pan number already exists in db. It is working and I also get an error saying that pan no is already registered If I ignore the error and do not change the pan number and proceed to submit, it goes into the database.

I have observed that after the validation check, the entered number stays there. I wish to know how can I empty the input box after getting the error. If it remains empty, the submit button will not work. So how can I delete the entered number from the input box once the error appears and how can i get the cursor focus in the input box?

Thanks

enter image description here

HTML

<input name="panno" type="text"  id="panno" style="width:219px;" />
<span id="pan_status1"></span>

FUNCTION

$("#panno").change(function()
            {
                $("#pan_status1").html('<img src="images/9.gif" align="absmiddle">&nbsp;Loading Please wait...');
                var id=$(this).val();
                var dataString = 'panno='+ id;
                $.ajax
                ({
                    type: "POST",
                    url: "checkp.php",
                    data: dataString,
                    cache: false,
                    success: function(html)
                    {
                        $("#pan_status1").html(html);

                    } 
                });

            });

CHECKP.PHP

<?php

require("connection/config.php");
    if(isset($_POST['panno']))
    {
    $mpan = $_POST['panno'];

    $sql_check = mysql_query("select * from register where pan_no='".$mpan."'") or die(mysql_error());

    if(mysql_num_rows($sql_check))
    {
    echo '<font color="red"><STRONG>'.$madhar.'</STRONG> is already registered.</font>';


             $response = array();
             $response['successStatus'] = 'error';
             $response['responseMessage'] = $erroMessage;
             header('Content-type: application/json');
             echo json_encode($response);      

    }
    else
    {
             $response = array();
             $response['successStatus'] = 'success';
             $response['responseMessage'] = $erroMessage;
             header('Content-type: application/json');
             echo json_encode($response);
    }
}
?>

EDIT

I made changes in the php file. Now when I enter the pan number and if the entered pan number does not exist in the database, I get the following output next to the input button

{"successStatus":"success","responseMessage":null}

and if it exists, I get the following

123456789012 is already registered.{"successStatus":"error","responseMessage":null}

Now that the status is captured, how can I make the input field empty if the status is error

I do not want to show the html / json output if the status is success and want to show ONLY the html if the status is error.

Sabha
  • 621
  • 10
  • 32
  • You must validate server-side, *always*. – Jay Blanchard Jul 08 '16 at 13:22
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 08 '16 at 13:22
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jul 08 '16 at 13:22
  • Do you like getting your websites hacked? – Alon Eitan Jul 08 '16 at 13:22
  • Thank you for the inputs. I have planned to change it to MySQLi as there are lots and lots of file pending to be changed. I am going to change that soon. Meanwhile, presently I am stuck here and appreciate if you guys can tell me how to get the focus back to the input box removing the entered contents once the error appears. Thanks – Sabha Jul 08 '16 at 13:29

2 Answers2

0

Since mysql ( php extension ) is deprecated you should mysqli to execute your SQL code. Next would be to escape your incoming POST request, because you don't want to get hacked via an SQL Injection.

You can respond with a JSON in order to announce the client side (jQuery) that you got an error or not.

Moreover, don't send PHP errors to a client, you can use a try / catch solution.

Cobuz Alexandru
  • 322
  • 2
  • 11
  • 1
    This is not what the OP is asking – Alon Eitan Jul 08 '16 at 13:35
  • Oh, Alon, I think that what Cobuz said here is on-point. :-) While it may not be a "direct, literal" answer, it is certainly relevant. ### To clarify, perhaps, what Cobuz is maybe suggesting: "throwing an exception" is a very handy way to do validation. The code in the server can set a `try{}` block around its call to the inside function, and you arrange for that code to "throw an exception" if anything goes wrong. The exception is summarily caught, and can be used to create an error-message. (A common `function` is often used to do that part.) – Mike Robinson Jul 08 '16 at 18:04
0

It is straightfoward-enough to clear the field, although the user might not wish for you to do so, especially if they're a slow typist. (They can say to themselves, "d'oh, I swapped two numbers!" and fix their actual tpyo, then push the button again.)

I suggest that what you need to do here is to have your JavaScript remember that the server told it (by means of the POST result) that the number was not valid. (Or, better yet, to remember that it has not yet told you that a particular number is valid.) If the user pushes the button anyway, you can give him an informative message, and not send the server anything.

And then, no matter what, you must also validate the incoming information on the server side. Even though you provide an AJAX-call to validate a PAN number, the server is ultimately responsible for ensuring that the database is updated correctly. It must check again to see that the number is valid, before posting it to the database. And, you must provide appropriate tests of that result, in your JavaScript: to see if the post succeeded, and if not, why not.

Your JavaScript should not knowingly send a missing or invalid PAN number to the host. However, the host must not assume that the client is "doing the right thing." Ultimate responsibility for the content of the database lies with the host.

Mike Robinson
  • 8,490
  • 5
  • 28
  • 41
  • i am validating the entire page before submitting and there is already a validation at the end that if any of the input box is empty, it does not allow to go ahead. But in this case the value from input box is not cleared so it takes invalid input too. can you please tell me what changes I need to clear the input box after displaying the error `pan number is already registered` – Sabha Jul 08 '16 at 17:57
  • do i need an else statement in my `checkp.php` file? that can be captured to empty the input box? – Sabha Jul 08 '16 at 17:58
  • What I have in mind is that you would *repeat* the query that is performed by this bit of code, *a second time.* (Or, of course, you could put the test into a `function` that is called from two places ...) The code that is about to insert a new PAN into the table must first check the PAN. (In fact, it must do it *thoroughly.* Check that it consists of exactly so-many digits, and so forth. Everything. – Mike Robinson Jul 08 '16 at 18:01
  • Always remember the possibility of a "playback attack," where someone captures the POST sequences that your client is sending, then *tampers with* them and presents them to your server, hoping that your server will believe that it is talking to "its trusted JavaScript counterpart," when it is **not.** *("Yeah, there are some real pure-a#sholes out there ...")* – Mike Robinson Jul 08 '16 at 18:02
  • sorry but i am unable to understand what you are saying and not even understanding how this bit of code is working. what I am understanding is that the checkp.php gives a message that pan number is already registered if the query returns a row. what I need to do is that if it doesnt return a row from the query then empty the input box after displaying the message. I need help in the syntax on how can i achieve this. – Sabha Jul 08 '16 at 18:04
  • Okay, I'm talking about *additions* to the code that actually does the SQL `INSERT`. Before this code actually does this, it first contains several `if` statements in which it checks: *"is the PAN-number exactly 10 digits?" "does this PAN already exist in the database?"* And so on. Then, and only then, does it insert anything. Your existing checker is simply an AJAX-responder, but you must not rely on it. When the client asks for the code to be inserted, the server must *verify* that the request is correct. Someone could purposely throw garbage at you, literally to see what happens. – Mike Robinson Jul 08 '16 at 18:09
  • I'm afraid that I can't "write code for you." I can, and did, *point out* what needs be done, but I can't do it for you. Perhaps someone else will provide a "code-writing" answer. Please understand. – Mike Robinson Jul 08 '16 at 18:10
  • i have edited my question. can you please advice something? Thanks – Sabha Jul 08 '16 at 19:03
  • What can I say, exactly? Looks like you're almost there. I see that you are printing the `json_encode` of the `response` that you received, and that you've provided a `successStatus` element in that response which you can easily test. So ... go ahead and *do* that! **:-)** You don't seem to need any more hand-holding . . . – Mike Robinson Jul 08 '16 at 19:06
  • I am happy to hear that. no matter what changes i make, i am unable to achieve it. i guess my problem is the syntax or may be i am editing the script at some incorrect place. please help me. its getting frustrating – Sabha Jul 08 '16 at 19:10
  • Take a break, and look at it again tomorrow. – Mike Robinson Jul 08 '16 at 19:14
  • It doesnt seem to be happenning. Appreciate if you can help me here ! Thanks – Sabha Jul 09 '16 at 06:24