0

In this form, user needs to insert three things- 'Make' , 'Year' and 'Mileage'. First one has to be string, and the other two must be integers. If not then it will show error. The problem is with the last two. But if user inputs 'Year' as a string, and 'Mileage' as integer (or vice-versa), it does NOT show any error. Then I checked the database,and found that that string value gets changed to 0 (zero) automatically. May be that is the reason for the failure in validation.

Here is the code:

<?php

if ( ! isset($_GET['name']) || strlen($_GET['name']) < 1  ) {
die("Name parameter missing");
}
if ( isset($_POST['logout']) ) {
    header('Location: index.php');
    return;
}

?>



<?php
require_once "pdo.php";

$failure = false;
$success = true;

if ( isset($_POST['make']) && isset($_POST['year']) && isset($_POST['mileage'])  ) {

  if (strlen($_POST['make']) < 1) {
    $failure = "Make is required";
  }
  else if( !is_numeric($_POST['year']) && !is_numeric($_POST['mileage']) ) {
    $failure = "Mileage and year must be numeric";
  }
  else {
    $stmt = $pdo->prepare('INSERT INTO autos
      (make, year, mileage) VALUES ( :mk, :yr, :mi)');
    $stmt->execute(array(
      ':mk' => htmlentities($_POST['make']),
      ':yr' => htmlentities($_POST['year']),
      ':mi' => htmlentities($_POST['mileage'])));
    $success =  "Record inserted";
  }
}
 ?>


<!DOCTYPE html>
<html>
<head>
<title>Kho. Iftekhar Alam</title>

<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">

<!-- Optional theme -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap-theme.min.css" integrity="sha384-fLW2N01lMqjakBkx3l/M9EahuwpSfeNvV63J5ezn3uZzapT0u7EYsXMjQV+0En5r" crossorigin="anonymous">

</head>
<body>
<div class="container">
<h1>Tracking Autos for <?php echo $_GET['name']; ?> </h1>
<?php

if ( $failure !== false ) {
    echo('<p style="color: red;">'.htmlentities($failure)."</p>\n");
}
if ( $success !== true ) {
    echo('<p style="color: green;">'.htmlentities($success)."</p>\n");
}
?>
<form method="post">
<p>Make:
<input type="text" name="make" size="60"/></p>
<p>Year:
<input type="text" name="year"/></p>
<p>Mileage:
<input type="text" name="mileage"/></p>
<input type="submit" value="Add">
<input type="submit" name="logout" value="Logout">
</form>

<h2>Automobiles</h2>
<ul>
  <?php
    $stm = $pdo->query("SELECT make,year,mileage from autos");
    while ($row = $stm->fetch(PDO::FETCH_ASSOC)) {
      echo "<li>";
      echo $row['year'].' '.$row['make'].' '.'/'.' '.$row['mileage'];
      echo "</li>";
    }

   ?>

<p>
</ul>
</div>
<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
IftekharAlam21
  • 1
  • 5
  • 3
    You probably made that field an integer instead of a varchar – John Conde May 04 '20 at 22:21
  • 1
    Please **do not** use `htmlentities()` on data going in to your database. That function is used to **display** data safely in an HTML document – Phil May 04 '20 at 22:43
  • 1
    @JohnConde I think the field being integer is the intention. The question says the two fields year and mileage must be integers. The error is in the validation routine, not in the database. – ADyson May 04 '20 at 22:47
  • @JohnConde yes the field is meant to be an integer, but the problem lies with the validation. String inputs are to be rejected during the form validation, – IftekharAlam21 May 05 '20 at 06:55
  • @Phil it is used to prevent html injection.As for example, If user inputs Data , then it gets after fetching it, the Data gets bold, – IftekharAlam21 May 05 '20 at 06:58
  • @IftekharAlam21 your database doesn't care about HTML injection but your HTML document does so that is where you should use `htmlentities()`. See [this excellent answer](https://stackoverflow.com/a/38411974) – Phil May 05 '20 at 07:08

1 Answers1

1
!is_numeric($_POST['year']) && !is_numeric($_POST['mileage']

is the problem. You only show an error if both fields are non-numeric.

You could change the AND (&&) to an OR (||) so that either one being non-numeric would trigger the error.

But it might make more sense to check each one separately, and output a separate error message for each as well. It's not clear, logically, why you lumped them together like that. And the failure messages should build up cumulatively, rather than just one or the other, otherwise if the user makes more than one mistake, you'll only feed back one of them at a time and they'll have to keep re-submitting, which will be a frustrating experience.

So a better error handling routine might look more like this (I haven't formatted the messages except separating them with newlines, but you can add that, to suit yourself. You could even just build up a list of messages, and let the UI section handle the formatting - e.g. putting them into a <ul> or something):

$failure = "";

....

if (strlen($_POST['make']) < 1) {
    $failure .= "Make is required";
}
if (!is_numeric($_POST['year']) { 
    $failure .= "<br/>Year must be numeric";
}
if (!is_numeric($_POST['mileage']) ) {
    $failure .= "<br/>Mileage must be numeric";
}

.....

if ( $failure == "" ) {
ADyson
  • 57,178
  • 14
  • 51
  • 63