validation for form php mysql

Question

I have a form that user can submit their information and comment to the website. However, I am having the problem in validating my forms.For example, I can submit an empty form and add in numbers in my name. By right it should be wrong and echo out the message. However, I can still submit it and my validation code is not working for the form. My code is below:

    <?php
error_reporting(~E_NOTICE); // avoid notice

require_once 'dbconfig.php';


if (isset($_POST['submitted'])) {
    $firstname  = $_POST['firstname'];//firstname
    $lastname = md5($_POST['lastname']);//password
    $phone = $_POST['phone']; // user name
    $enquiry  = $_POST['comment']; // user job


// Initialize error array.
    $errors = array();
    // Check for a proper First name
    if (!empty($_POST['firstname'])) {
        $firstname = $_POST['firstname'];
        $pattern = "/^[a-zA-Z0-9\_]{2,20}/"; // This is a regular expression that checks if the name is valid characters
        if (preg_match($pattern, $firstname)) {
            $firstname = $_POST['firstname'];
        } else {
            $errors[] = 'Your Name can only contain _, 1-9, A-Z or a-z 2-20 long.';
        }
    } else {
        $errors[] = 'You forgot to enter your First Name.';
    }

    // Check for a proper Last name
    if (!empty($_POST['lastname'])) {
        $lastname = $_POST['lastname'];
        $pattern = "/^[a-zA-Z0-9\_]{2,20}/"; // This is a regular expression that checks if the name is valid characters
        if (preg_match($pattern, $lastname)) {
            $lastname = $_POST['lastname'];
        } else {
            $errors[] = 'Your Name can only contain _, 1-9, A-Z or a-z 2-20 long.';
        }
    } else {
        $errors[] = 'You forgot to enter your Last Name.';
    }

    //Check for a valid phone number
    if (!empty($_POST['phone'])) {
        $phone = $_POST['phone'];
        $pattern = "/^[0-9\_]{7,20}/";
        if (preg_match($pattern, $phone)) {
            $phone = $_POST['phone'];
        } else {
            $errors[] = 'Your Phone number can only be numbers.';
        }
    } else {
        $errors[] = 'You forgot to enter your Phone number.';
    }
    if (!empty($_POST["comment"])) {
        $comment = $_POST['comment'];
    } else {
        $errors[] = 'You forgot to enter your enquiry infomation.';
    }
    // if no error occured, continue ....
    if (!isset($errMSG)) {
        $stmt = $DB_con->prepare('INSERT INTO user_message(firstname,lastname,phone,enquiry) VALUES(:fstname, :lastname, :phone, :enq)');
        $stmt->bindParam(':fstname', $firstname);
        $stmt->bindParam(':lastname', $lastname);
        $stmt->bindParam(':phone', $phone);
        $stmt->bindParam(':enq', $enquiry);


        if ($stmt->execute()) {
            $successMSG = "enquiry succesfully submitted ...";
            header("refresh:5;contactus.php"); // redirects image view page after 5 seconds.
        } else {
            $errMSG = "error while inserting....";
        }
    }
}
/////////////////////////////////////////////////////////////////////////////////////////

?>

<!DOCTYPE html>
<html>
    <head>
        <title>Boostrap 3 example</title>
        <meta charset="UTF-8">
        <meta name="viewpoint" content="width=device-width, initial-scale=1.0">

        <link rel="stylesheet" href="bootstrap3/css/bootstrap.min.css">
              <link href="../bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css"/>

        <link href="css/maincss.css" rel="stylesheet" type="text/css"/>

    </head>

    <body>
        <div class="container">
            <?php
            if (isset($errMSG)) {
                ?>
                <div class="alert alert-danger">
                    <span class="glyphicon glyphicon-info-sign"></span> <strong><?php echo $errMSG; ?></strong>
                </div>
                <?php
            } else if (isset($successMSG)) {
                ?>
                <div class="alert alert-success">
                    <strong><span class="glyphicon glyphicon-info-sign"></span> <?php echo $successMSG; ?></strong>
                </div>
                <?php
            }
            ?>  
            <h2>Contact us</h2>
            <br/>
            <p>Fill out the form below.</p>
            <p>* required field.</p>
            <form method="post" enctype="multipart/form-data" class="form-horizontal">
                <table class="table table-bordered table-responsive">
                    <tr> 
                        <td><label >First Name*:</label></td>
                        <td><input name="firstname" type="text" value="" /></td>
                    </tr>
                    <tr> 
                        <td><label >Last Name: </label></td>
                        <td><input name="lastname" type="text" value="" /></td>
                    </tr>
                    <tr> 
                        <td><label >Phone Number: </label></td>
                        <td><input name="phone" type="text" value="" /></td>
                    </tr>
                    <tr> 
                        <td><label >Enquiry: </label></td>
                        <td><textarea name="comment" rows="5" cols="40"></textarea></td>
                    </tr>
                    <tr>
                        <td colspan="2">
                            <input name="" type="reset" value="Reset Form" /> 
                            <button type="submit" name="submitted" class="btn btn-default">Create</button><br/>

                        </td>
                    </tr>

                </table>
            </form>
        </div>
        <script src="js/jquery-1.12.3.js"></script>
        <script src="bootstrap3/js/bootstrap.js"></script>       
    </body>
</html>

This is my database design:

You can add the `required` attribute to your `input`-tags if you are using HTML5. — MrDarkLynx, Feb 09 '17 at 14:19
For the name You should use regular expression like this `/^[A-z]+$/` because You need only alphabet — stack overflow user, Feb 09 '17 at 14:21
@stackoverflowuser - Some people have double names using spaces or hyphens. And a lot of people have characters that are not a-z. You can't be very strict, when it comes to names, or you risk alienating a lot of users. But the current validation is wrong, though. It does allow for numeric names and `_`, which I've never seen anyone having in their name? — M. Eriksson, Feb 09 '17 at 14:24
@Magnus Eriksson Yes, my fault, I just write this validation very quickly without much thinking. However some validations of this topic should do the job. [link](http://stackoverflow.com/questions/275160/regex-for-names) or, as You mention before, check only length. — stack overflow user, Feb 09 '17 at 14:56

M. Eriksson · Accepted Answer · 2017-02-09T15:33:59.287

Issue 1

You populate an array called $errors with the error-messages, but you then check $errMSG. That variable will never be set. Change to:

if (!$errors) {
    // your database code

That should stop it from inserting anything, if any errors occurse.

Issue 2

Your regex allows for any alpha character and/or numeric values and/or underscores as long as it is between 2 and 20 characters long, which means that: aaaaaaaaaaaa, 1111111, _______ all are considered valid names.

Validating names are tricky, since there are people with characters outside of a-z (foreign names) and double names with spaces, dashes, apostrophes etc. I recommend to simply check the length of the name, like:

if (strlen(trim($firstname)) >= 2 || strlen(trim($firstname)) <= 20) {
    // .... ok
} else {
    // .... error
}

Note: I wouldn't have 20 as the maximum length. Your DB-columns are 100 in length so.. allow for that, at least. Don't assume that everyone has usual names.

Issue 3

In the beginning, you populate $enquiry = $_POST['comment']. Later, you do: $comment = $_POST['comment'] and then use $enquiry in the database insert.

There are likely more things you could fix, but these are the once that stands out and are the root of the issues in your question.

Thx!! The code is working now but I am not so sure how to apply the Issue 2 solution to my code. May u extend a little bit on this ? — xhinvis, Feb 09 '17 at 15:30
Simply replace your `if (preg_match(....))`. It this answer solved your issue, feel free to mark it as answered. — M. Eriksson, Feb 09 '17 at 15:33

validation for form php mysql

1 Answers1

Issue 1

Issue 2

Issue 3