how to do signup validation in php

Question

The problem is; I'm trying to fix the sign-up validation but still, it still saved in our database even if it's empty hopefully someone can provide explicit information as to were wrong in coding. even if one of input box is empty it is still saved to our database table

<!DOCTYPE html>
<html>`enter code here`
<head>
   <title>Sample Registration Form</title>
</head>
<body>

    <form action="submit.php" method="POST">
        <input type="text" name="userid" placeholder="USER ID"><br>
        <input type="text" name="firstname" placeholder="FIRST NAME"><br>
        <input type="text" name="lastname" placeholder="LAST NAME"><br>
        <input type="text" name="email" placeholder="EMAIL"><br>
        <input type="password" name="password" placeholder="PASSWORD"><br>
        <button tabindex="submit" name="submit">Sign up</button>
    </form>

        <a href='login.php'><button type='submit' name='submit'>Proceed to Login</button></a>
</body>
</html>

the code above is the sign-up page

<!DOCTYPE html>
<html>
<head>
   <title>Submit </title>
</head>
<body>
<?php

$dbservername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "blogfinal";

$connect = mysqli_connect($dbservername, $dbusername, $dbpassword, $dbname);


if(isset($_POST['submit'])) {
    $userid = $_POST['userid'];
    $firstname = $_POST['firstname'];
    $lastname = $_POST['lastname'];
    $email = $_POST['email'];
    $password = $_POST['password'];
 
    $checker = array("userid", "firstname", "lastname", "email", "password");
    $Error = true;
    foreach ($checker as $values) {
        if(empty($_POST[$values])) {
           echo "Error";
           $Error = true;
        } else {
            $sql = "INSERT INTO userinformation 
                            (userid, firstname, lastname, email, password) 
                    VALUES ('$userid', '$firstname', '$lastname',
                             '$email', '$password');";
        }
        if(mysqli_query($connect, $sql)) {
            echo "Saved Successfully<br>";
            echo "<a href='login.php'><button type='submit' name='submit'>Proceed to Login</button></a>";
        } else {
            echo "Error Description: " . mysqli_error($connect);
        }
    }
}
?>
</body>
</html>

the code above is the submit function.

the problem is when we hit the sign-up even if the input-box is empty and it is still functioning and saved to our database, instead of a password, email, user, or first name is required. 


[if you leave it empty then proceed to submit it show saved even there's no data on it.][1]


[the image after we hit the submit button.][2]


[hence, if we at least insert 1 data required and proceed to submit it still saved to our database, instead of showing that the other data is required][3]


  [1]: https://i.stack.imgur.com/gVc0i.png
  [2]: https://i.stack.imgur.com/Aizjl.png
  [3]: https://i.stack.imgur.com/A04c0.png

Good code indentation would help us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](https://www.php-fig.org/psr/psr-12/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. — RiggsFolly, Jun 02 '21 at 07:03
Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187) You should alway use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenating user provided values into the query. Never trust ANY user input! — RiggsFolly, Jun 02 '21 at 07:03
You are looping over all the parameter names defined in $checker - but then you make the insert query, as soon as you found that the _current_ field is not empty. Actually, you are making an insert query for each parameter, that was not empty - nonsense to begin with, you want to create _one_ record, and not five of them. The query needs to be made - or not made, in case of errors - _after_ you looped over all those parameters and checked them. — CBroe, Jun 02 '21 at 07:06
To get errors out of PHP even in a LIVE environment add these 4 lines to the top of any `MYSQLI_` based script you want to debug `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);`. This will force any `MYSQLI_` errors to generate an Exception that you can see on the browser as well as normal PHP errors. — RiggsFolly, Jun 02 '21 at 07:07
**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) — Dharman, Jun 02 '21 at 10:11

score 1 · Answer 1 · edited Jun 02 '21 at 10:10

The problem is that you're checking if each value is empty withif(empty($_POST[$values])) within a foreach loop. This if has an else that is running every time.

So even if one of the fields in empty, the query will always execute if there's at least 1 field that is not empty.

You should change the logic to make that even if just one field is empty, then the query doesn't run.

Here's a quick fix:

$Error = false;
// Check if all fields are not empty
foreach ($checker as $values) { 
    if(empty($_POST[$values])) {
        echo "Error";
        $Error = true; // If even just one field is empty, the $Error variable will be true
        break;
    } 
}
if(!$Error) { // Check if I got an error
    $sql = 'INSERT INTO userinformation,(userid, firstname, lastname, email, password)  VALUES ("?", "?", "?", "?", "?");';
    $stmt = $connect->prepare($sql)
    $stmt->bind_param('sssss', $userid, $firstname, $lastname, $email, $password);
    if($stmt->execute())
    // The rest of your query
}

Furthermore please refer to the comment by @RiggsFolly to your question as your code has security issues connected to SQL Injection.

Little Note: There are those around that will downvote an answer if you leave the Bad Sql Injection code in it. If you convert it to a bound parameterised query you will be safer with this answer — RiggsFolly, Jun 02 '21 at 07:41
Fatal error: Uncaught Error: Call to a member function bind_param() on bool in C:\xampp\htdocs\final prac\submit.php:37 Stack tra this what we got after submitting the complete data that is needed on the input box, I wonder what's wrong with the code we input. The code we used below. if(!$Error) { $sql = 'INSERT INTO userinformation,(userid, firstname, lastname, email, password) VALUES ("?", "?", "?", "?", "?");'; $stmt = $connect->prepare($sql); $stmt->bind_param('s',$userid, $firstname, $lastname, $email, $password); if($stmt->execute()){} } } — xcxx, Jun 02 '21 at 14:23

how to do signup validation in php

1 Answers1