1

When I click the submit button without filling the form, a new entry appears on database with the ID but the form keep validating and showing the user, this field is required but why the form is still submitting to the database?

Here is my code, kindly help, I am new in PHP and very tired of solving such problem.

<?php
include 'dbc.php';

// define variables and set to empty values
$name_error = $email_error = $phone_error = $url_error = $message_error = "";
$name = $email = $phone = $message = $url = $success = "";

//form is submitted with POST method
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    if (isset($_POST["name"])) {
        $name_error = "Name is required";
    } else {
        $name = test_input($_POST["name"]);
        // check if name only contains letters and whitespace
        if (!preg_match("/^[a-zA-Z ]*$/",$name)) {
            $name_error = "Only letters and white space allowed";
        }
    }

    if (empty($_POST["email"])) {
        $email_error = "Email is required";
    } else {
        $email = test_input($_POST["email"]);
        // check if e-mail address is well-formed
        if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
            $email_error = "Invalid email format";
        }
    }

    if (empty($_POST["phone"])) {
        $phone_error = "Phone is required";
    } else {
        $phone = test_input($_POST["phone"]);
        // check if e-mail address is well-formed

        }


    if (empty($_POST["url"])) {
        $url_error = "Website url is required";
    } else {
        $url = test_input($_POST["url"]);
        // check if URL address syntax is valid (this regular expression also allows dashes in the URL)
        if (!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$url)) {
            $url_error = "Invalid URL";
        }
    }

    if (empty($_POST["message"])) {
        $message_error = "Message field is required";
    } else {
        $message = test_input($_POST["message"]);

    }

    if ($name_error == '' and $email_error == '' and $phone_error == '' and $url_error == '' and $message_error == ''){
        $message = 'Hello Ladies';
        unset($_POST['submit']);
        foreach ($_POST as $key => $value){
            $message .=  "$key: $value\n";
        }

        $to = 'sample@email.com';
        $subject = 'Contact Form Submit';
        if (mail($to, $subject, $message)){
            $success = "Message sent, thank you for contacting us!";

        }

    }


        $query = "INSERT INTO clients(name,email,phone,url,message) ";
        $query .= "VALUES('$name', '$email', '$phone', '$url', '$message') ";

        $create_user = mysqli_query($mysqli, $query);

        if (!$create_user) {
            die("QUERY FAILED. " . mysqli_error($mysqli));
        }

}


function test_input($data){
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

I hope I don't get downvote.

user3465481
  • 15
  • 3
  • I notice this piece of code and you shouldn't use it. That function down there, doesn't help you here. Plus, this is a "logic" thing. – Funk Forty Niner Feb 06 '17 at 18:55

1 Answers1

0

The only check actually being made before the query is run, is 

if ($_SERVER["REQUEST_METHOD"] == "POST") {

which means that the only requirement for inserting values, is that the form is sent over POST, nothing else. This can be checked with a proper editor and seeing what brackets are wrapped around your query. You do some checks earlier in the code to validate and check the input, but this doesn't tell if the query should be run or not.

If you move the closing-bracket } of the following if-block 

if ($name_error == '' and $email_error == '' and $phone_error == '' and $url_error == '' and $message_error == ''){

until after the query is performed, the query will only run if it passed all your checks. (place it after the following snippet)

if (!$create_user) {
    die("QUERY FAILED. " . mysqli_error($mysqli));
}

In other remarks, your test_input() is rubbish (really) and you shouldn't use it. Parameterize your queries instead and filter the input with proper functions. There are validation filters and sanitation filters already implemented in PHP, you should use them if you need to.

You should prepare and bind the values of your queries using mysqli::prepare(), this will handle any issues dealing with quotes and protect your database against SQL injection.

References

Community
  • 1
  • 1
Qirel
  • 25,449
  • 7
  • 45
  • 62
  • Thanks a lot, mate. I am new in PHP, so such kind of behavior in coding is not acceptable, I must follow what you have said. One question, should I really care about if ($_SERVER["REQUEST_METHOD"] == "POST") ? – user3465481 Feb 07 '17 at 04:12