How should i code my php 7 validation for my form

hammer · October 5, 2016, 3:44pm

Here’s the code for my php form submitting the data to the database:

<?php
error_reporting(E_ALL);
ini_set('display_errors', 'true'); 
require 'connection.php';
$conn = Connect();

/* skip testing for the POST array for now */

/* Prepare an insert statement */
$query = "INSERT INTO tb_cform (u_name, u_email, subj, message) VALUES (?,?,?,?)";
$stmt = $conn->prepare($query);

$stmt->bind_param("ssss", $_POST['u_name'], $_POST['u_email'], $_POST['subj'], $_POST['message']);

/* Execute the statement */
$stmt->execute();

if ($stmt->affected_rows > 0) {
  echo "Thank You For Contacting Us <br>";
  printf("rows inserted: %d\n", $stmt->affected_rows);
} else {
  echo "Did not enter data";
}

/* close statement */
$stmt->close();

$conn->close();
?>

Basically i am very inexperienced with php and have no idea how to code it.
Any suggestions would be great.

SamA74 · October 5, 2016, 6:14pm

You are using prepared statements to insert the user data, so that’s a good start.
But so far you have no validation (or sanitisation) to speak of.
To really advise on validation, we would need to know what you accept as valid.
For instance, which fields are mandatory and what input you are willing to accept for each field.
For email, it’s fair to assume you want a valid email address. That can be checked via the built in validation filters. There are filers for other things or you can create custom tests for specific needs.
For mandatory fields, it’s just a case of checking if it is empty or not.

spaceshiptrooper · October 5, 2016, 9:30pm

You don’t need to close the connection since you will most likely reuse that connection anyways. It is not recommended to close your connection at the end of every database call. PHP does this for you automatically. Also, don’t compare affected_rows to 0 or 1 since it basically returns a 0 or 1 by default. It’s very similar to num_rows. Comparing it would be redundant since PHP throws you a 0 (false) or 1 (true) by default. Comparing it like

if($stmt->affected_rows > 0)

Is the EXACT same thing as if you were to just do

if($stmt->affected_rows)

jgetner · October 6, 2016, 12:07am

Please sanitize all your $_POST variables! php has a function called filter_var that has some awesome sanitization options for variables.

Also @spaceshiptrooper how do you know that affected rows only returns a 0 or 1? it should return the number of rows affected by the executed query. Confused me

spaceshiptrooper · October 6, 2016, 2:01am

Because OP is inserting once hence why it will be returning a 1 or a 0. If PHP executes at all, it will return the amount of rows that it inserted. However, inserting the same data more than once is also redundant just like > 0 and < 1 is and is mostly used by amateurs.

hammer · October 6, 2016, 10:39am

Yeah it’s a contact form, basically i have no idea how to write any kind of validation in php.

spaceshiptrooper · October 6, 2016, 11:33am

Well, you just have to check to make sure that the posted fields are the appropriate ones. Such as making sure that the email field really is an email and making sure that the name field isn’t just all numbers because a real person’s name shouldn’t just have all numbers. Stuff like that. Also make sure that the fields haven’t been tempered with such as someone using Inspect Element to change the email field to say a password field. This will throw you a PHP fatal error since the original field that you will be looking for won’t exist if the user changes it. Most likely, the error will be an undefined index since your original validation is for the email field, but it is not present in the $_POST array. So basically make sure people don’t try and break your code.

hammer · October 8, 2016, 12:12pm

Got any example code with php 7?

Mittineague · October 8, 2016, 4:35pm

AFAIK there really aren’t many, if any, “one size fits all” examples. Most examples I’ve seen are for specific use cases.

The “tools” you use and the way you use them often need to be custom written depending on your use case.

The first step is to figure out both what is acceptable and what is not acceptable.

Thing I usually consider are:

input presence
input length
mandatory characters
allowed optional characters
disallowed characters
mandatory character sequences
disallowed character sequences

etc.

Not all will apply to all user input, but you need to figure out as best as you can exactly what is OK and what is not OK for each input.

hammer · October 11, 2016, 8:55am

Well I have no idea how to write it in code, I know next to nothing about php. So how the heck am I going to do this?

droopsnoot · October 11, 2016, 10:50am

Research some PHP tutorials in general, then on to form validation, and take it a step at a time. There’s an article here on Sitepoint about form validation in PHP, and while it’s getting on a bit it might give you some pointers.

Do you have experience in other programming languages, or are you new to programming in general, not just in PHP?

system · January 10, 2017, 5:50pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.