Sanitize dropdown

Hi, I need help with my code.

if(isset($_POST['save'])){
        if (ctype_alpha(str_replace(' ', '', $_POST['fn'])) === false) {
            $fn_error = "* Enter a valid name";
            
        } if (ctype_alpha(str_replace(' ', '', $_POST['ln'])) === false) {
            $ln_error = "* Enter a valid name";
            
        } if (!preg_match('/^\+@wmsu\.edu\.ph$/i', $_POST['email'])) {
            $email_error = "* Enter a valid email";
            
        } if( $_POST['rank'] == "None" ) {
            $rank_error = "* Please select an Academic Rank";

        } if( $_POST['department'] == "None" ) {
            $department_error = "* Please select a Deparment";
            
        }else{
            $firstname = htmlentities($_POST['fn']);
            $lastname = htmlentities($_POST['ln']);
            $email = htmlentities($_POST['email']);
            $status = 'Inactive';
            if(isset($_POST['status'])){
                $status = $_POST['status'];
            }
            $faculty = array(
                "firstname" => $firstname,
                "lastname" => $lastname,
                "email" => $email,
                "academic_rank" => $_POST['rank'],
                "department" => $_POST['department'],
                "admission_role" => $_POST['role'],
                "status" => $status
            );
            array_push($_SESSION['faculty'], $faculty);
            //redirect user to faculty page after saving
            header('location: faculty.php');
        }
    }

It works well but in the second dropdown which is the DEPARTMENT it has a bug like even tho I input a wrong input on the name or email but if I select an input in the department dropdown it will automatically save even tho it did not pass the sanitize. What did I miss on my code? thank you

Aside from anything else, it was mentioned in your earlier post that you should not be using htmlentities.

Solved it already, thank you. We can’t change about the htmlentities as the prof is the one who coded it. We can’t change anything.

All of these if should be else if. Right now, the only error which will prevent continuation is department. The only if should be the first one.

        if (ctype_alpha(str_replace(' ', '', $_POST['fn'])) === false) {
            $fn_error = "* Enter a valid name";
            
        } else if (ctype_alpha(str_replace(' ', '', $_POST['ln'])) === false) {
            $ln_error = "* Enter a valid name";
            
        } else if (!preg_match('/^\+@wmsu\.edu\.ph$/i', $_POST['email'])) {
            $email_error = "* Enter a valid email";
            
        } else if( $_POST['rank'] == "None" ) {
            $rank_error = "* Please select an Academic Rank";

        } else if( $_POST['department'] == "None" ) {
            $department_error = "* Please select a Deparment";
            
        } else{

how about for the error showing? If the code like this, the others will not show an error only the above.

Validating multiple inputs is not mutually exclusive. You would validate all the independent inputs all at once, by using an array to hold the validation errors, with the array index being the field name. After the end of all the validation logic, if the array holding the errors is empty, use the form data. To display the errors, you would either test, then loop over the array of errors at the appropriate location in the html document OR test if there’s an error for each field name and display it separately adjacent to the field when you re-display the form.

1 Like

Maybe you need a new prof! :lol:

1 Like

IMHO, setting multiple error variables is messy and doesn’t give you a simple pass/fail to continue with processing. If however you were to create an array $errors = array(); and set any error messages to this array you could simply check if this array is empty to continue with processing.

	if(empty($errors)){
		//processing
	}

Any error messages can be defined by the POST key to the error array. For example:

$errors['fn'] = "* Enter a valid name";

These errors could be used at Form level to display error message at the input.

if(!empty($errors['fn'])){
	echo $errors['fn'];
}

Using your example it might look like this.

if($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['save'])){
	$errors = array();
	if(ctype_alpha(str_replace(' ', '', $_POST['fn'])) === false) {
		$errors['fn'] = "* Enter a valid name";
	} 
	if(ctype_alpha(str_replace(' ', '', $_POST['ln'])) === false) {
		$errors['ln'] = "* Enter a valid name";
	} 
	if(!preg_match('/^\+@wmsu\.edu\.ph$/i', $_POST['email'])) {
		$errors['email'] = "* Enter a valid email";
	} 
	if( $_POST['rank'] == "None" ) {
		$errors['rank'] = "* Please select an Academic Rank";
	} 
	if( $_POST['department'] == "None" ) {
		$errors['department'] = "* Please select a Deparment";
	}
	if(empty($errors)){
		//processing
	}
}

The use of ctype_alpha and str_replace is a flawed approach to validation. What if my last name is St’ John? Your code will tell me my last name is not valid.

Unfortunately, what is being “taught” by professors is usually wrong or way outdated. You would do much better to learn on your own.

2 Likes

To validate a choice from a drop-down list, what I would do is have a pre-set array of valid values, then check if the value posted is in the array. This will give you very robust validation, to the point that sanitization isn’t an issue. “None” may be the only invalid response in your list, but by no means the only invalid value that could be received.
This also begs the question: if “None” isn’t a valid value, why is it even in the list?

But the cause of the issue is as mentioned, how you are recording errors. You have a bunch of error messages in different variables, all of which will have to be tested for. Better to collect them all into one array, then check it it’s empty at the end.

Learn on your own, but give the professors what they want if you want to pass the class. :shifty:

2 Likes