Form being submitted despite an existing php code meant to validate it

Question

I'm trying to validate a form i have on the serverside using php, the code of the php itself doesn't show errors, but the form gets submitted regardless of its inputs .. i would add below my php code for validation and the html code of the form that i wish to validate it .. please keep in mind that i'm new to this , so you might see some newbie code and mistakes , thank you for taking time to check my question.

<?php
// define variables and set to empty values
$staffErr = $emailErr = $subjectErr = $problemErr = $descriptionErr= "";
$staffname = $email = $subject = $problem_type = $description = "";

// staff name validation:
if ($_SERVER["REQUEST_METHOD"] == "POST") {
  if (empty($_POST["staffname"])) {
    $staffErr = "Staff Name is required";
  } else {
    $staff_name = test_input($_POST["staffname"]);

    // check if name only contains letters and whitespace
    if (!preg_match("/^[a-zA-Z-' ]*$/",$staffname)) {
      $staffErr = "Only letters and white space allowed";
    }
  }

  // email validation:
  if (empty($_POST["email"])) {
    $emailErr = "Email is required";
  } else {
    $email = test_input($_POST["email"]);

    // check if e-mail address is well-formed
    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
      $emailErr = "Please enter a valid email.";
    }
  }

  // subject validation:
  if (empty($_POST["subject"])) {
    $subjectErr = "Subject is required";
  } else {
    $subject = test_input($_POST["subject"]);

    // check if subject only contains letters and whitespace
    if (!preg_match("/^[a-zA-Z-' ]*$/",$subject)) {
      $nameErr = "Only letters and white space allowed";
    }
  }
    
  // problem type validation:
  if (empty($_POST["problem_type"])) {
    $problemErr = "Problem type is required";
  } else {
    $problem_type = test_input($_POST["problem_type"]);
  }

  // description validation:

  if (empty($_POST["description"])) {
    $descriptionErr = "A Description is required";
  } else {
    $description = test_input($_POST["description"]);
  }
}

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}
?>


<form  method="post" onsubmit=" return formSubmit(), test_input() " action="insert_logs.php">
  <div class="error1" id= "errorMsg">* Required Fields</div>
    <div class="error" id= "errorMsg1">*<?php echo $staffErr; ?></div>
    <div>
      <label for="staff_name"><b>Staff Name:</b></label> 
      <input  class="field" id="staff_name" name="staffname" onclick=" return staffValidation()" onchange=" return staffValidation()" id="subject" type="text" placeholder="Staff Name" value="<?php echo $staffname;?>"  > 
    </div><br>
    <div class="error" id= "errorMsg2">*<?php echo $emailErr; ?></div>
     <div>
       <label for="email"><b>Email:</b></label> 
       <input class="field" id="email1" name="email" onclick=" return emailValidation()" onchange=" return emailValidation()" type="email" placeholder="staff@wearview.com" value="<?php echo $email;?>">  
      </div><br>
      <div class="error" id= "errorMsg3">*<?php echo $subjectErr; ?></div>
      <div>
        <label for="subject"><b>Subject:</b></label> 
        <input  class="field" name="subject" id="subject1" onclick=" return subjectValidation()" onchange=" return subjectValidation()" type="text" placeholder="Subject Title" value="<?php echo $subject;?>" > 
      </div><br>
      <div class="error" id= "errorMsg4">*<?php echo $problemErr; ?></div>
      <div>
        <select onclick=" return problemValidation()" onchange=" return problemValidation()" class="field4" name="problem_type" id="problemtypes">
          <option value="">Problem Type</option>
          <option value="Hardware">Hardware</option>
          <option value="Software">Software</option>
          <option value="Software&Hardware">Software & Hardware</option>
          <option value="Other">Other</option>
        </select>
      </div><br>
      <div class="error" id= "errorMsg5">*<?php echo $descriptionErr; ?></div>
       <div>
         <textarea class="field2" id="description1" name="description" onclick=" return descriptionValidation()" onchange=" return descriptionValidation()" placeholder="Description goes here" value="<?php echo $description;?>"  rows="15" cols="90"></textarea>
       </div>          
       <div>
         <button class="field3" type="submit" class="btn">Submit</button>
         <input type="checkbox" id="notify" name="notify" value="">
         <label for="notify">Inform me by email when issue is resolved.</label> 
       </div>
     </form>

The form, thank you for taking time to check them

What have you tried to resolve the problem? Where are you stuck? As PHP runs server-side, it looks obvious to me that the form needs to be submitted — Nico Haase, Mar 01 '22 at 11:52
Whereever you got the `test_input()` code from, get rid of it. This is a junk function which does nothing but damage your data. It seems to circulate in junk tutorials online somewhere. It frequently appears in samples here, and we always tell people it's not useful. — ADyson, Mar 01 '22 at 11:54
It looks like you're trying to execute a PHP function, `test_input()`, as an `onsubmit` Javascript event handler. That will not work. — KIKO Software, Mar 01 '22 at 11:55
`test_input` looks like an exceptionally naive attempt to do XSS and SQL Injection defences in one go and fails to do either of them usefully. — Quentin, Mar 01 '22 at 11:56
Anyway PHP runs server-side, so yes your form will always be submitted. The validation will happen when the PHP code responds to the submission request, and then you'll see the results echo'd back as the output from the request. That's how you should expect it to work. If you, additionally, want client-side validation then you can use a combination of HTML5 validation markup and JavaScript to achieve that. — ADyson, Mar 01 '22 at 11:56
(Note: don't replace the server-side validation with client-side... the client-side can only be an _additional_ functionality. Server-side validation is _always_ essential because any client-side code can easily be tampered with or bypassed by malicious users. In that sense, you have started your coding in exactly the right place, by implementing the server-side validation first. It looks like you've just had a bit of a misunderstanding about when PHP code is executed and how it's triggered. Simply submitting the form will post it back and trigger the PHP. `onsubmit` is for Javascript only.) — ADyson, Mar 01 '22 at 11:57
@Adyson , yes this is coming from a w3school tutorial, what would you suggest to use instead of ```test_input``` to check the inputs ? you are correct about client side, i turned off the js myself and realized that my php doesn't do its job, previously, js was the one stopping my submission .. — Link Awakened, Mar 01 '22 at 11:58
Your other validation code is already checking the inputs. test_input() doesn't do anything of value for "checking" input data. Learn what each of those functions within it is actually for by googling them. The only one I'd keep is htmlspecialchars, but you'd use that at **output** time, to encode any user-generated data you're going to echo into a HTML page (in order to prevent XSS injection attacks)...it's not an input filter. `trim` is entirely optional - you _could_ use that if you want to trim whitespace from input values, but it's certainly not essential for security or validation. — ADyson, Mar 01 '22 at 11:59
By the way, what i am doing here is by no means to cover all security issues, it is merely meant to validate the form in its most basic way so that incorrect inputs do not go through .. i know its good practice to make it secure all at once, but i just take it step by step so i dont get overwhelmed — Link Awakened, Mar 01 '22 at 12:03
`w3school tutorial`...don't touch w3schools with a barge pole. It's a well-known cesspit of inaccurate, obsolete, badly maintained rubbish, often demonstrating poor practices, insecure code and out of date techniques, unfortunately. Some of it's ok, but it's very hit and miss, so on the whole I'd say stay away from it. — ADyson, Mar 01 '22 at 12:03
`incorrect inputs`...well it's up to you to decide what's" correct" and "incorrect" as far as your application's business rules are concerned. Security is a separate thing, as I think you seem to have identified, but yes it's a good idea to incorporate it as much as you can from the start, then you don't have to go back over your code later. — ADyson, Mar 01 '22 at 12:07

Form being submitted despite an existing php code meant to validate it

0 Answers0