Advise for sending data into db with form

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rebeldeveloper'
Forum Newbie
Posts: 2
Joined: Thu Jul 09, 2015 4:36 pm

Advise for sending data into db with form

Post by rebeldeveloper' »

Hi Everybody,

i am a php/mysql newbie and i am trying to create form to send data into db. here are the condition i want to meet:
1-data should go to db only when all fiels are filled
2- prevent script from running when conditions are met

here is my code:

Code: Select all

<form METHOD="POST" ACTION="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

<label>Firstname : </label> 
<input type="text" name="fname" id="fname" placeholder="enter your firstname" value="<?php if (isset($_POST["fname"])) 
{echo $_POST["fname"];}?>" />
<span class="error">* <?php echo $fnameError;?></span>
<br><br>

<label>Surname : </label>
<input type="text" name="surname" id="surname" placeholder="Enter your surname" value="<?php if (isset($_POST["surname"])) 
{echo $_POST["surname"];}?>" />
<span class="error">* <?php echo $surnameError;?></span>
<br><br>
<input type="submit" value="submit" name="submit" id="submit" />
</form>

[b]PHP PART[/b]
<?php
$first_name = $sur_name = "";
$fnameError = $surnameError ="";

if ($_SERVER["REQUEST_METHOD"]== "POST") {

function clean_input_provide ($value){
$value = trim($value);
$value = htmlspecialchars($value);
$value = stripslashes($value);
return ($value);
} 
if (empty($_POST["fname"])) {

$fnameError = "Please enter your first name";

} 
  else
 {

$first_name = clean_input_provide($_POST["fname"]); 	

if (!preg_match("/^[a-zA-Z ]*$/", $first_name)) {

$fnameError = "Only letters and white space allowed";

 }
}

if (empty($_POST["surname"])) {

$surnameError = "Please enter your surname";
}

 else
 {

$sur_name = clean_input_provide($_POST["surname"]);

if (!preg_match("/^[a-zA-Z ]*$/", $sur_name)) {

$surnameError = "Only letters and white space allowed";

}
}	

if (!empty($first_name&&$sur_name&&$password&&$address)) {
 
 
$sql = "INSERT INTO tbl_address_book (First_Name, Surname, Address, Password) VALUES ('$first_name', 

'$sur_name', '$address', '$password')";


 if (mysqli_query($db_connection, $sql)) {
 
 echo "Recorded added";
 }

   else
   {
   	echo "No records";
   }

}
 
}
?>
My problem is, i want to prevent the script from running when the preg_match condition is met


Thanks
User avatar
Christopher
Site Administrator
Posts: 13592
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Advise for sending data into db with form

Post by Christopher »

You might want to research the Intercepting Filter pattern. A simple Filter Chain implementation would be a better solution for this kind of problem. If you use Composer, perhaps you can find a good implementation from a framework.
(#10850)
User avatar
Celauran
Moderator
Posts: 6425
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Advise for sending data into db with form

Post by Celauran »

Definitely look into prepared statements (or some DBAL that handles that for you) for the insert itself. Valitron is a decent package for quick and easy validation. One note; what if I have an apostrophe or hyphen in my name. Brenda O'Malley. Sean Teller-William. Perfectly valid names that would be disallowed by your current regex. Something to consider.
Post Reply