Tutorial :server side validation


Hi I have created a reg.php. I need to include the server validation using php. I have written the code and dissabled the java script in my browser. But it is showing "you have successfully registered even if i dont give any field.this is my code

<?php  $hostname   =   "xxxx";  $username   =   "xxx";  $password   =   "xxx";  $dbName     =   "xxx";  $conn       =   mysql_connect($hostname,$username,$password) or die(mysql_error());  mysql_select_db($dbName);  if(isset($_POST["submit"]))  {  $username=$_POST['usr'];  $address1=$_POST['addr1'];   $address2=$_POST['addr2'];  $password=$_POST['pswd'];  $email=$_POST['email'];  $errormsg;  if($_POST['usr']=="")   {     $errormsg='enter the name S';  echo $errormsg;   }  elseif(trim($address1)=="")   {     $errormsg="entre the address1 S";    }   elseif(trim($address2)=="")   {     $errormsg="entre the address2 S";    }   elseif(trim($password)=="")   {     $errormsg="entre the password S";    }   elseif(trim($email)=="")  {     $errormessage="enter the email S";  }    mysql_query("INSERT INTO `xxx` ( `id` , `Name` , `Address1` , `Address2` , `password` , `email` )  VALUES (  '', '$username', '$address1', '$address2', '$password', '$email'  )")or die(mysql_error()); ;  echo "you have successfully registered ";  }  ?>    <html>    <head>    <script type="text/javascript">    function fun()    {          valid=true;            if(document.reg1.usr.value =="")            {                  alert("fill the name");                 valid=false;            }         if(document.reg1.addr1.value =="")            {                  alert("fill the address");                 valid=false;            }        if(document.reg1.addr2.value =="")            {                  alert("fill the address2");                 valid=false;            }       if(document.reg1.pswd.value =="")            {                  alert("fill the password");                 valid=false;            }       if(document.reg1.email.value =="")            {                  alert("fill the email id");                 valid=false;            }       return valid;     }        </script>  </head>  <body>      <form name="reg1" action="try.php"  method="post">          <table border="0" cellpadding="2" cellspacing="2" width="1000" align="centre">          <tr>          <th>Registration form</th></tr>            <tr><TD align="left">username<TD/>          <TD><input type="text" name= "usr"></TD></tr>          <tr>            <td align="left">address1<td/>          <td><input type="text" name="addr1"></td>          </tr>          <td align="left" width="15%">address2<td/>          <td><input type="text" name=addr2></td></tr>          <tr>          <td align="left">password<td/>          <td><input type="password" name="pswd"></td>          </tr>          <tr>          <td align="left">emailaddress<td/>          <td><input type="text" name="email"></td>          </tr>          <tr>          <tr><TD></TD>          <td><input type="submit" name="submit" value="submit" onclick="return fun();"></td></tr>          </table>      </form>      </body>  </html>  

can anyone help plz?????


First â€" be consistent with your variables. You can't seem to make up your mind between $errormsg and $errormessage.

Second â€" apply a little thought. if you have set an error message, then display it else make the SQL query.

Third â€" for heaven's sake, fix your huge SQL injection vulnerability.


You need to end the script if any oft the if conditions fail.

the way it is now will show an error, but continue to the query part.

you could put an else {} around the query part to solve this.


Your insert code runs regardless of if an error message is set. you can add

if (empty($errormessage)) {      mysql_query...      }  


Well, you have to put your

mysql_query("INSERT INTO `xxx` ( `id` , `Name` , `Address1` , `Address2` , `password`     ,`email` )  VALUES (  '', '$username', '$address1', '$address2', '$password', '$email'  )")or die(mysql_error()); ;  

in a else statement after the last elseif:

[...]  elseif(trim($email)=="")  {     $errormessage="enter the email S";  }  else  {      mysql_query("INSERT INTO `xxx` ( `id` , `Name` , `Address1` , `Address2` , `password` , `email` )      VALUES (      '', '$username', '$address1', '$address2', '$password', '$email'      )")or die(mysql_error()); ;      echo "you have successfully registered ";  }  


You need to separate everything after the validation if ends to a different part of the script.

if (empty($errormsg))   {      mysql_query("INSERT INTO `xxx` ( `id` , `Name` , `Address1` , `Address2` , `password` , `email` )      VALUES (      '', '$username', '$address1', '$address2', '$password', '$email'      )")or die(mysql_error()); ;      echo "you have successfully registered ";  }  

Other tips:

  • you should keep error messages in an array, and display them in a list
  • you could use a different scripts for success message

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »