How To validate php post variables?

Question

Here I Am going to insert the user details and my insert_search.php contains form fields and insert_dummy.php contains insert code for entering userdetails. My problem is how to validate php post variables and where i need to insert validate code eigther insert_search.php or insert_dummy.php? As i am new to php.Thank you in Advance. insert_search.php

<?php
include('header/page_header.php');
$user="root";
$server="localhost";
$password="";
$db="coedsproddb1";
$dbconn= mysql_connect($server,$user,$password);
mysql_select_db($db,$dbconn);

?>
<html>
<head><title>Insert</title>
<link rel="stylesheet" href="css/bookstyles.css">
<link rel="stylesheet" href="css/jquery-ui.css">
<script src="js/jquery-1.12.4.js"></script>
  <script src="js/jquery-ui.js"></script>
</head>
<body>
<div class="container">

<style>
#display {
color:red;
font-size:12px;
text-align:center;
}
.logo {
padding:5px;
float:right;
}
header {
background-color:#074e7c;
height:60px;
width:100%;
text-align:center;
color:white;
font-size:40px;

}
#wrap {
text-align:center;
}
table ,tr,td {
border-collapse:collapse;
}
</style>
<?php
$end_date1 = date('Y-m-d', strtotime("+3 months"));
 $end_date2 = date('Y-m-d', strtotime("+6 months"));
 $end_date3 = date('Y-m-d', strtotime("+9 months"));
 if ($_SERVER["REQUEST_METHOD"] == "POST") {
    if (empty($_POST["userName"])) {
        $userNameErr = "Missing";
    }
    else {
        $userName = $_POST["userName"];
    }

    if (empty($_POST["userEmail"])) {
        $userEmailErr = "Missing";
    }
    else {
        $userEmail = $_POST["userEmail"];
    }

    if (empty($_POST["userPassword"]))  {
        $userPasswordErr = "Missing";
    }
    else {
        $userPassword = $_POST["userPassword"];
    }


}
 ?>
<form name="useradd" id="useradd" action="insert_dummy.php" method="post">
<input type="hidden" name="end_date" >
<input type="hidden" name="userId" id="userId" value="<?php $userid;?>" >
<table align='center' border='1'>


    <tr>

           <td> <label for="userName">UserName</label></td>
            <td ><input id="userName" name="userName"  type="text" /></td>


        </tr>
        <tr>
        <td> <label for="userEmail">Email</label></td>
        <td ><input id="userEmail" name="userEmail" type="text"/></td>
        </tr>
        <tr>
        <td>
            <label for="userPassword">password</label></td>
            <td ><input id="userPassword" name="userPassword" type="password" /></td>


        </tr>
        <tr>
        <td>
            <label for="expiry_date">Application_expiry_date</label></td>
            <td ><input id="expiry_date" name="expiry_date" type="text" /></td>


        </tr>
        <br/>
        <br/>

    <td> <label for="end_date">EndDate</label></td>
        <td >  <select name="end_date" id="end_date">
             <option value=<?php echo $end_date1; ?>><?php echo $end_date1; ?></option>
             <option value=<?php echo $end_date2; ?>><?php echo $end_date2; ?> </option>
             <option value=<?php echo $end_date3;?>><?php echo $end_date3;?> </option>

        </select>
</td>
</tr>









        </table>



<br>



<div id="wrap">
<input type="submit" name="add" value="add" id="add">

</form>
<div id="display">
</div>

</div>

                <script type="text/javascript">
$('document').ready(function() {

    $(".tooltip").click(function(e) {
     $('[data-toggle="tooltip"]').tooltip();
     e.preventDefault();
     });
     });
     </script>-->
     <script type="text/javascript" >
    $(document).ready(function() {
    $( "#expiry_date" ).datepicker();
    $("#menuwrapper").hide();
    $("#unicode").click(function() {
        $("#menuwrapper").slideToggle(500);
    });
    });
</script>   




</body>
</html>

insert_dummy.php

<html>
<head><title>Insertion</title>

</head>
<body>
<style>

#colour {
text-decoration:none;
}
</style>
<div id="display">
<?php
include('header/page_header.php');
include('db.php');




$userName=mysql_real_escape_string($_POST['userName']);
$userEmail=mysql_real_escape_string($_POST['userEmail']);
$userPassword=mysql_real_escape_string($_POST['userPassword']);
$expiry_date1=mysql_real_escape_string($_POST['expiry_date']);
$expiry_date=date("Y-m-d" ,strtotime($expiry_date1));
$end_date1=mysql_real_escape_string($_POST['end_date']);
$end_date=date("Y-m-d",strtotime($end_date1));



 $regDate = date("Y-m-d");



function generateCode($characters) 
{
    $possible = '23456789abcdefghjkmnpqrstuvwxyz!@#$%^&*';
    $code = '';
    $i = 0;
    while ($i < $characters) { 
        $code .= substr($possible, mt_rand(0, strlen($possible)-1), 1);
        $i++;
    }
    return $code;
}

$registration_key=generateCode(10);



$str="insert into coeds_user(userName,userEmail,userPassword,regDate,expiry_date,registration_key) values('$userName','$userEmail','$userPassword','$regDate','$expiry_date','$registration_key')";


$query=mysql_query($str);
$userid=mysql_insert_id();
if($query)
{
$display="Success";
}
/*$string="select chapter_no from chapter_details ";
echo $string;
$query7=mysql_query($string);

$count=mysql_num_rows($query7);
for($i=0;$i<$count;$i++)
{
$chap_lic=generateCode(50);
$chapter_no=mysql_result($query7,$i,'chapter_no');
$start_date=date('Y-m-d');
$expiry_date=mysql_real_escape_string($_POST['end_date']);
$end_date=mysql_real_escape_string($_POST['end_date']);

$s="insert into chapter_subscriptions (userId,chapter_no,start_date,end_date) values($userid,$chapter_no,'$start_date','$end_date')";

$query8=mysql_query($s);
}
}*/
else
{
$display= "Failed";
}
/*$str="select * from chapter_subscriptions where userId=$userid";
$query7=mysql_query($str);
$display.="<table border='1' align='center'>";
$display.="<tr><th>ChapterNumber</th><th>StartDate</th><th>EndDate</th><th>ChapterLicense</th><th colspan='2'>Action</th></tr>";
while($result=mysql_fetch_array($query7))
{
$display.="<tr>";
$display.="<td>".$result['chapter_no']."</td>";
$display.="<td>".$result['start_date']."</td>";


$display.="<td>".$result['end_date']."</td>";
$display.="<td>".$result['chap_lic']."</td>";

$display.="<td><a id='colour' class='tooltip' title='Edit' href='chapter_subscription_update.php?user_Id=".$result['userId']."'><img id='image' src='./images/small.gif'/></a></td>";
$display.="<td><a id='colour' class='tooltip' data-toggle='tooltip' title='Delete' href='chapter_subscription_delete.php?user_Id=".$result['userId']." '><img id='image' src='./images/trash.png'/></a></td>";

$display.="</tr>";
}
$display.="</table>";*/








$string="select * from coeds_user where userId=$userid";
$query2=mysql_query($string);
$display.="<table border='1' align='center'>";
$display.="<tr><th>UserName</th><th>UserEmail</th><th>UserPassword</th><th>RegDate</th><th>ExpiryDate</th><th>RegistrationKey</th><th colspan='3'>Action</th></tr>";
while($result=mysql_fetch_array($query2))
{
$display.="<tr>";

$display.="<td>".$result['userName']."</td>";
$display.="<td>".$result['userEmail']."</td>";
$display.="<td>".$result['userPassword']."</td>";
$display.="<td>".$result['regDate']."</td>";
$display.="<td>".$result['expiry_date']."</td>";
$display.="<td>".$result['registration_key']."</td>";
$display.="<td><a id='colour' class='tooltip' title='Edit' href='user_update.php?user_Id=".$result['userId']."'><img id='image' src='./images/small.gif'/></a></td>";
$display.="<td><a id='colour' class='tooltip' data-toggle='tooltip' title='Delete' href='user_delete.php?user_Id=".$result['userId']." '><img id='image' src='./images/trash.png'/></a></td>";

$display.="<td><a id='colour' class='tooltip' data-toggle='tooltip' title='insert' href='chapter_subscription_search.php?user_Id=".$result['userId']." '>i</a></td>";
$display.="</tr>";

$display.="</table>";

 $end_date1 = date('Y-m-d', strtotime("+3 months"));
 $end_date2 = date('Y-m-d', strtotime("+6 months"));
 $end_date3 = date('Y-m-d', strtotime("+9 months"));
 $page="";


 ?>

<table align='center' border='1'>

    <tr>

           <td> <label for="userId">UserId</label></td>
            <td ><input id="userId" name="userId"  type="text" value="<?php echo $userid;?>"/></td>


        </tr>
        <tr>
        <td> <label for="userName">UserName</label></td>
        <td ><input id="userName" name="userName" type="text" value="<?php echo $result['userName'];?>"/></td>
        </tr>
        <tr>
        <td> <label for="userEmail">UserEmail</label></td>
        <td ><input id="userEmail" name="userEmail" type="text" value="<?php echo $result['userEmail'];?>"/></td>
        </tr>
        <tr>
        <td> <label for="userPassword">UserPassword</label></td>
        <td ><input id="userPassword" name="userPassword" type="password" value="<?php echo $result['userPassword'];?>"/></td>
        </tr>
        <tr>
        <td> <label for="expiry_date">ExpiryDate</label></td>
        <td ><input id="expiry_date" name="expiry_date" type="text" value="<?php echo $result['expiry_date'];?>"/></td>
        </tr>
        <tr>
        <td> <label for="end_date">EndDate</label></td>
        <td >  <select name="end_date" id="end_date">
             <option value=<?php echo $end_date1; ?>><?php echo $end_date1; ?></option>
             <option value=<?php echo $end_date2; ?>><?php echo $end_date2; ?> </option>
             <option value=<?php echo $end_date3;?>><?php echo $end_date3;?> </option>

        </select>
</td>
        </tr>




        </table>

<?php
}
$str="select chapter_no from chapter_details ";


$query7=mysql_query($str);

$count=mysql_num_rows($query7);
for($i=0;$i<$count;$i++)
{
$chap_lic=generateCode(50);
$chapter_no=mysql_result($query7,$i,'chapter_no');
$start_date=date('Y-m-d');
$expiry_date=mysql_real_escape_string($_POST['end_date']);
$end_date1=mysql_real_escape_string($_POST['end_date']);
$end_date=date("Y-m-d",strtotime($end_date1));
$s="insert into chapter_subscriptions (userId,chapter_no,start_date,end_date) values($userid,$chapter_no,'$start_date','$end_date')";

$query8=mysql_query($s);
}
$strings="select * from chapter_subscriptions where userId=$userid";
$query9=mysql_query($strings);
$display.="<table border='1' align='center'>";
$display.="<tr><th>ChapterNumber</th><th>StartDate</th><th>EndDate</th><th colspan='2'>Action</th></tr>";
while($result=mysql_fetch_array($query9))
{
$display.="<tr>";
$display.="<td>".$result['chapter_no']."</td>";
$display.="<td>".$result['start_date']."</td>";


$display.="<td>".$result['end_date']."</td>";


$display.="<td><a id='colour' class='tooltip' title='Edit' href='chapter_subscription_update.php?user_Id=".$result['userId']."'><img id='image' src='./images/small.gif'/></a></td>";
$display.="<td><a id='colour' class='tooltip' data-toggle='tooltip' title='Delete' href='chapter_subscription_delete.php?user_Id=".$result['userId']." '><img id='image' src='./images/trash.png'/></a></td>";

$display.="</tr>";
}
$display.="</table>";


echo $display;


?>
</div>
 <script type="text/javascript">
    $(document).ready(function() {
    $( "#expiry_date" ).datepicker();
    $("#menuwrapper").hide();
    $("#unicode").click(function() {
        $("#menuwrapper").slideToggle(500);
    });
    });

</script>   


</body>
</html>

Never paste so long code .. No one will try to read and you won't get answer. Just explain the question, give specific code for that and some one will help u — M A SIDDIQUI, Mar 31 '17 at 10:40
**Warning**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) which has been **removed** entirely from the latest version of PHP. You should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). — Quentin, Mar 31 '17 at 10:41
If you are asking where to write your validation, I should say you ought to have it in both server side and client side, i.e in your case in both files. — SachinSunny, Mar 31 '17 at 10:44

score 1 · Answer 1 · answered Mar 31 '17 at 11:02

You always validate in the PHP-file that accepts user input (GET, POST or whatever you use), ie. in insert_dummy.php.

Anything before that can be circumvented most of the time by passing parameters in URL or programmatically generating the form data.

Form validation in the actual form is for user convenience only so they don't have to send the form and get a "error, bad form fields" error from the PHP file that does the actual information saving (unless you implement something needlessly complicated like hashing the form data, but then you'd need to validate that and you'd have the hashing code exposed as Javascript anyway).

As for how - only you know what kind of data you accept (username / password length, complexity, etc), so you will have to write a custom function to do it and run it before passing anything to the database part.

score 0 · Answer 2 · edited Jun 20 '20 at 09:12

After reading your example I think you just want to know if you're doing right... Right?

I'll show you something. Consider that you have the following variables being returned from your form: name, email, phone, subject and message (contact form). And you'll send them by POST. The best way you can check if it's your form calling your action file is checking all these names on POST.

$isMyForm = isset($_POST, $_POST['name'], $_POST['email'], $_POST['phone'], $_POST['subject'], $_POST['message']);

This will result on TRUE if every test goes on or FALSE if something is missing. Don't be afraid, unless your inputs are checkboxes you'll receive them everytime.

But the data may come empty!

$isMyForm is just verifying if the expected indexes really exists in $ _POST, not validating. So you can do something like this:

if(!$isMyForm)
    exit("Ops! Something's missing.");

And then test each input without PHP errors! I'm sorry but the next steps you should try by yourself. If you want some tips like "how to validate email onn PHP?" you can try THIS. There's a lot of information here.

EDIT

Please, becareful with exit(); when $isMyForm is false. In your case that would be something like this:

$isMyForm = isset($_POST, $_POST['name'], $_POST['email'], $_POST['phone'], $_POST['subject'], $_POST['message']);
if($isMyForm) {
    // your action should run here
}

How To validate php post variables?

2 Answers2

But the data may come empty!

EDIT