php data validation submitting bad data

0
votes

I currently have my code working to some state.

When the user inputs data name, email and company they submit the form and it will echo the inputs out which is fine, but when I enter invalid data into the form and submit it will still post but displays the else statement.

Have I missed something in my Preg_match or is this just a bad way to code the validation? 

 <!DOCTYPE html>
    <html>
    <head>
      <title>Visitor Sign in</title>
      <meta charset="utf-8" />
      <link rel="stylesheet" type="text/css" href="visitor.css"/>
      <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />

      <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js" type="text/javascript"></script>

    </head>

    <body>

    <div id="wrapper">
        <img src="Wincanton.png" alt="wincantonLogo" class="wincantonLogo" />
        <img src="Screwfix.png" alt="screwfixLogo" class="screwfixLogo" />
        <div style="clear:both"></div><br>

    <?php
    // define variables and set to empty values
    $nameErr = $emailErr = $companyErr = "";
    $fullname = $email = $company = "";

    if ($_SERVER["REQUEST_METHOD"] == "POST") {
      if (empty($_POST["fullname"])) {
        $nameErr = "Name is required";
      } else {
        $fullname = test_input($_POST["fullname"]);
        // check if name only contains letters and whitespace
        if (!preg_match("/^[a-zA-Z ]*$/",$fullname)) {
          $nameErr = "Only letters and white space allowed"; 
        }
      }

      if (empty($_POST["email"])) {
        $emailErr = "Email is required";
      } else {
        $email = test_input($_POST["email"]);
        // check if e-mail address is well-formed
        if (!preg_match("/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/",$email)) {
          $emailErr = "Invalid email format";
        }
      }

      if (empty($_POST["company"])) {
        $companyErr = "Name is required";
      } else {
        $company = test_input($_POST["company"]);
        // check if name only contains letters and whitespace
        if (!preg_match("/^[a-zA-Z ]*$/",$company)) {
          $companyErr = "Only letters and white space allowed"; 
        }
      }
    }
    function test_input($data) {
      $data = trim($data);
      $data = stripslashes($data);
      $data = htmlspecialchars($data);
      return $data;
    }

    ?>


    <h1>Visitor Sign in</h1><br>

    <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">  
      Name: <input type="text" name="fullname" >
      <span class="error">* <?php echo $nameErr;?></span>
      <br><br>
      E-mail: <input type="text" name="email">
      <span class="error">* <?php echo $emailErr;?></span>
      <br><br>
      Company: <input type="text" name="company">
      <span class="error"><?php echo $companyErr;?></span>
      <br><br>
      <br><br>
      <input type="submit" name="submit" value="Submit">  
    </form>


    <?php

    echo "<h2>Your Input:</h2>";
    echo $fullname;
    echo "<br>";
    echo $email;
    echo "<br>";
    echo $company;
    echo "<br>";

    ?>


    </body>
    </html>
1
phphtmlvalidation
'Have i missed something in my Preg_match or is this just a bad way to code the validation.' - Well, that depends on what you want to allow, one thing I noticed is that you don't allows dashes for names which might be problematic. - Script47
Welcome. "it will still post but displays the else statement." What else statement are we talking about here? Also, you're setting your errors ($companyErr etc) but not doing anything with them but display in your form. - brombeer
What is your expected behaviour? You say "it will still post", do you expect it not to? You would need some client-side validation in that case. But as you are implementing server side validation, you have to allow the POST to get the data into PHP, where you can validate it. You are already writing the error messages, maybe all you need to do is put the last part where you echo the data inside an if (empty($nameErr) && empty($emailErr) ...) - Karsten Koop
Sorry for the bad communication, Realistically i would like it so when the user tries to submit data which is invalid it checks it before it displays the output as trying to prevent sql injection. Sorry if i haven't put the correct information across i'm literally a newbie to coding and have self taught myself - James24

1 Answers

0
votes

try if isset condition.

if(isset($_POST['submit'])){
}