Page 1 of 1

Disallow empty form

Posted: Wed Oct 26, 2005 4:07 am
by hezry79
Jcart | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


i found out that my small web application allow empty field on adding new user from Admin....how to disallow this based on my code below? thanks
************user_add.php***********************

Code: Select all

<? include('authenticate.php'); ?>
<html>
	<head>
		<title>Administrator - Add User</title>
	<head>

	<body>
	<table width = 780>
		<tr>
		<td width = 20% valign = top><?include('leftbar.php');?></td>
		<td width = 80% align = center valign = top>
		<font>Add User</font>
		<form name = "UserAdd" action = "user_add_response.php" method = "post">
			<table>
				<tr>
					<td>Username:</td>
					<td><input type = text name = User size = 30 maxlength = 50></td>
				</tr>
				<tr>
					<td>Password:</td>
					<td><input type = password name = Pass size = 30 maxlength = 50></td>
				</tr>
				<tr>
					<td>Name:</td>
					<td><input type = text name = Name size = 30 maxlength = 50></td>
				</tr>
				<tr>
					<td>Access Level:</td>
					<td><input type = text name = Level size = 10 maxlength = 3></td>
				</tr>
				<tr>
					<td><input type = submit value = 'Add'></td>
					<td><input type = reset value = 'Clear'></td>
				</tr>
			</table>
		</form>
	</table>
	</body>
</html>
*************************user_add_respone.php*******************************

Code: Select all

<?
	include('connection.php');
	
	$Username	= $_REQUEST['User'];
	$Password	= $_REQUEST['Pass'];
	$Name		= $_REQUEST['Name'];
	$Level		= $_REQUEST['Level'];


	$sql = "select * from TBLLogin where LoginUsername ='$Username'";
  
	
	$result = mysql_query($sql, $db);	 
	$num_row = mysql_num_rows($result);
	
	if($num_row !== 0)
	{
		echo "
				<script type='text/javascript'>
					alert('Username exists!!');
					document.location='user_add.php';
				</script>
				
				";


	}
else
	{ 
	  $Password = md5($Password);
		$sqlInsert = "insert into TBLLogin (LoginUsername, LoginPassword, LoginClass, Name, LoginStatus) values ('$Username', '$Password', '$Level', '$Name', '2')";
		$resultInsert = mysql_query($sqlInsert, $db);

		if ($resultInsert)
		{
			echo "
					<script type='text/javascript'>
						alert('Record added successfully!!');
						document.location='user_add.php';
					</script>
				";
		}
		else
		{
			echo "
					<script type='text/javascript'>
						alert('Record added failed!!');
						document.location='user_add.php';
					</script>
				";
		}
	}
	
?>
Jcart | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]

Posted: Wed Oct 26, 2005 4:14 am
by mickd
use

Code: Select all

if(empty($_POST['field'])) {
die();
}

Posted: Wed Oct 26, 2005 4:23 am
by hezry79
on which page i suppose to add the code and which line

Posted: Wed Oct 26, 2005 5:32 am
by n00b Saibot
Please use PHP tags when posting Code!

your answer :arrow: add this in user_add_response.php after include line...

Code: Select all

if(!(empty($_POST['User']) && empty($_POST['Pass']) && empty($_POST['Name'] && empty($_POST['Level']))) {
and really, you shouldn't use REQUEST, its open invitation to hack...

Posted: Wed Oct 26, 2005 10:00 am
by hezry79
sorry bout that...my mistake..

Posted: Wed Oct 26, 2005 10:12 am
by hezry79
what is the secure method to replace the request

Posted: Wed Oct 26, 2005 10:47 am
by Jenk
$_POST is more secure, as you are limiting it's source to just post and not get, post, or cookie.

You could also just use:

Code: Select all

<?php

if (in_array('', $_POST)) {
  die("Please complete all fields");
}

?>
Providing you don't have any fields named which will never have a value, such as the submit button (aslong as you don't give the submit button a name, you are ok).

And you can also use JavaScript to validate client side, before you validate server-side, which 9/10 will reduce bandwidth usage for failed validation.

Posted: Wed Oct 26, 2005 7:28 pm
by hezry79
thank you.