Validate Input Forms Using PHP
Hey,
I have recently learned PHP and MySQL and have written a series of scripts many which require form input. However I haven't been validating the input data. Basically all I want to do is to check if the variables $title and $author are empty. My current code is:
switch ($_GET["do"]) {
case "add":
include("dbconnect.php");
if(count($_POST) > 0) {
$title = mysql_real_escape_string(trim($_POST["title"]));
$author = mysql_real_escape_string(trim($_POST["author"]));
$sql = "INSERT INTO books(name, author) VALUES('$title', '$author')";
$result = mysql_query($sql) or die(mysql_error());
$message = "<p>Your Book Has Been Added</p>
<br/ >
<a href='index.php'>Go Back</a>
"; }
$title = "<h1>Add Book</h1>";
$html = "<form action='index.php?do=add' method='post'>
<p><strong>Book Title:</strong> <input type='text' name='title' /></p>
<p><strong>Author Name:</strong> <input type='text' name='author' /></p>
<p><input type='submit' value='Add Book' /></p>
</form>";
break;
default:
include("dbconnect.php");
$title = "<h1>Books I Own</h1>";
$html = "
<a href='index.php?do=add'>Add Books</a> | <a href='index.php?do=delete'>Delete Books</a>
<br />
<br />
<table border= 1>
<th>ID</th>
<th>Book Name</th>
<th>Author</th>";
$sql = "SELECT * FROM books";
$result = mysql_query($sql) or die(mysql_error());
while($row = mysql_fetch_array($result)) {
$html .= "<tr><td>".$row['id']."</td><td>".$row['name']."</td><td>".$row['author']."</td></tr>";
}
$html .= "</table>";
break;
}
?>
<html>
<head><title>Books I Own</title></head>
<body>
<?php
print $title;
print $message;
print $html;
?>
</body>
</html>```
Your probably thinking damn thats some crap code but hey I am new :)
like:
$message = "test"; } else {
$sql = "INSERT INTO books(name, author) VALUES('$title', '$author')";
$result = mysql_query($sql) or die(mysql_error());
$message = "<p>Your Book Has Been Added</p>
<br/ >
<a href='index.php'>Go Back</a>
"; }```
PHPDan wrote: Thanks guys I have now got it working :) Now I need some more challenges, anyone got any? Do #3 on this page: http://www.hellboundhackers.org/challenges/other/index.php
PHPDan wrote: [quote]hellboundhackersok wrote: [quote]spyware wrote: [quote]hellboundhackersok wrote: Some code
Hiya. Coding standards would like to have a word with you.[/quote]
ahah I don't really want to clean my code =D
Dan: he was talking to me :angry:[/quote]
I know……..[/quote]
whoa I totally read what you type wrong. whatever.
PHPDan wrote: Ha ha im just starting with PHP but I to thought his code was a bit messed up. No offense, but that is a bit presumptuous of you. His code was incomplete for the exact need specified but, as it was, it would've solved your problem. Testing a string for != '' and testing a string with !empty() are synonymous when looking for empty strings. However, empty will also capture null values, which is essential for testing MySQL DB values for empty / null values.
Basically, it can be boiled down to this:
- != is fine for testing for '' only (an empty string).
- empty() is good for testing for both an empty string and a null value.
- isset() is meant to test the existence of a variable… if a value is not POSTed at all, it will fail this. If it is POSTed, it will possibly pass this; this is not a good way to test for empty POST values.
Zephyr_Pure wrote: [quote]PHPDan wrote: Ha ha im just starting with PHP but I to thought his code was a bit messed up. No offense, but that is a bit presumptuous of you. His code was incomplete for the exact need specified but, as it was, it would've solved your problem. Testing a string for != '' and testing a string with !empty() are synonymous when looking for empty strings. However, empty will also capture null values, which is essential for testing MySQL DB values for empty / null values.
Basically, it can be boiled down to this:
- != is fine for testing for '' only (an empty string).
- empty() is good for testing for both an empty string and a null value.
- isset() is meant to test the existence of a variable… if a value is not POSTed at all, it will fail this. If it is POSTed, it will possibly pass this; this is not a good way to test for empty POST values.[/quote]
Thanks for the information. I am now planning my CMS.
Zephyr_Pure wrote: Testing a string for != '' and testing a string with !empty() are synonymous when looking for empty strings. However, empty will also capture null values, which is essential for testing MySQL DB values for empty / null values.
Basically, it can be boiled down to this:
- != is fine for testing for '' only (an empty string).
- empty() is good for testing for both an empty string and a null value.
- isset() is meant to test the existence of a variable… if a value is not POSTed at all, it will fail this. If it is POSTed, it will possibly pass this; this is not a good way to test for empty POST values.
This is some good stuff. Do you think there is anyway that we can create a thread containing pointers for programming languages (maybe even 1 thread per language or a forum category)where people can post pointers and mistakes to avoid that would be too short for an article yet still helpful for novice programmers so that such advice doesn't get lost?
Pwnzall wrote: Do you think there is anyway that we can create a thread containing pointers for programming languages (maybe even 1 thread per language or a forum category)where people can post pointers and mistakes to avoid that would be too short for an article yet still helpful for novice programmers so that such advice doesn't get lost? I've already got a few ideas on something very much like this. Also, another HBH member brought up a different perspective that would yield similar results. So, ideally, something like this will be in the future. Near or far? Hard to say… there are a few more pressing items before that happens. For those of you that do have ideas like this (that would benefit the community as a whole, please feel free to PM me or point me to a thread where you initially proposed the idea. If my PM box is full, hold the idea and give me a shout so I can clean it out.
fashizzlepop wrote: …and to keep it spam free? Yah right. Not to mention flame free.
Won't happen. It's not like I can't delete such posts or anything. Mods and admins are freely able to do so. If an idea that could help the community as much as that one was put in place, I'm reasonably certain that it would warrant at least one more moderator. It would also encourage responsible behavior and a unified mindset in the community… both of which have been lacking for a good while now.
If you stay stuck on reasons that something can't be done, it won't be.
yours31f wrote: I like the idea. If i could get some help with moderation and such, I would be willing to change CTheCode.com up a little bit to support all languages. No offense, but I believe the goal here is to have this be an addition to this site. That would also lend itself to moderation and community-based submissions, rather than content provided by your users. This would improve our community involvement and prevent this from becoming a conflict of interest, so to speak.