Confused About PHP!?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Cerebral Believer
    #1

    Confused About PHP!?

    Hi folks,

    I am creating a site in FrontPage, and want to use PHP to validate a form I
    have created, however I would like the return of the users input (which the
    user reviews to check for errors), to be in the same design or style which
    the rest of my site has been created in. I have found a script wich does the
    basics of what I want, but it needs a lot of modifying, and I have a few
    questions. Here is the script:

    <?php
    /* Program name: checkRegInfo.ph p
    * Description: Program checks all the form fields for
    * blank fields and incorrect format.
    */
    ?>
    <html>
    <head><title>Re gistration Validation</title></head>
    <body>
    <?php
    /* set up array of field labels */
    $label_array = array ( "first_name " ="First Name",
    "middle_nam e" ="Middle Name",
    "last_name" ="Last Name",
    "phone" ="Phone");
    foreach ($_POST as $field =$value)
    {
    /* check each field except middle name for blank fields */
    if ( $value == "" )
    {
    if ($field != "middle_nam e")
    {
    $blank_array[$field] = "blank";
    }
    }
    elseif ($field == "first_name " or $field == "middle_nam e"
    or $field == "last_name" )
    {
    if (!ereg("^[A-Za-z' -]{1,50}$",$_POST[$field]) )
    {
    $bad_format[$field] = "bad";
    }
    }
    elseif ($field == "phone")
    {
    if(!ereg("^[0-9)( -]{7,20}(([xX]|(ext)|(ex))?[ -]?[0-9]{1,7})?$",$valu e))
    {
    $bad_format[$field] = "bad";
    }
    }
    }
    /* if any fields were not okay, display error message and form */
    if (@sizeof($blank _array) 0 or @sizeof($bad_fo rmat) 0)
    {
    if (@sizeof($blank _array) 0)
    {
    /* display message for missing information */
    echo "<b>You didn't fill in one or more required fields. You must
    enter:</b><br>";
    /* display list of missing information */
    foreach($blank_ array as $field =$value)
    {
    echo "&nbsp;&nbsp;&n bsp;{$label_arr ay[$field]}<br>";
    }
    }
    if (@sizeof($bad_f ormat) 0)
    {
    /* display message for bad information */
    echo "<b>One or more fields have information that appears to be
    incorrect. Correct the format for:</b><br>";
    /* display list of bad information */
    foreach($bad_fo rmat as $field =$value)
    {
    echo "&nbsp;&nbsp;&n bsp;{$label_arr ay[$field]}<br>";
    }
    }
    /* redisplay form */
    $first_name = $_POST['first_name'];
    $middle_name = $_POST['middle_name'];
    $last_name = $_POST['last_name'];
    $phone = $_POST['phone'];
    echo "<p><hr>
    <form action='checkRe gInfo.php' method='POST'>
    <center>
    <table width='95%' border='0' cellspacing='0' cellpadding='2' >
    <tr><td align='right'>< B>{$label_arra y['first_name']}:</br></td>
    <td><input type='text' name='first_nam e' size='65' maxlength='65'
    value='$first_n ame' </td>
    </tr>
    <tr><td align='right'>< B>{$label_arra y['middle_name']}:</br></td>
    <td><input type='text' name='middle_na me' size='65' maxlength='65'
    value='$middle_ name' </td>
    </tr>
    <tr><td align='right'>< B>{$label_arra y['last_name']}:</B></td>
    <td<input type='text' name='last_name ' size='65' maxlength='65'
    value='$last_na me'</td>
    </tr>
    <tr><td align='right'>< B>{$label_arra y['phone']}:</B></td>
    <td<input type='text' name='phone' size='65' maxlength='65'
    value='$phone'</td>
    </tr>
    </table>
    <p><input type='submit' value='Submit name and phone number'>
    </form>
    </center>";
    exit();
    }
    echo "Welcome";
    ?>
    </body></html>

    (The code, with modifications, was from PHP & MySQL For Dummies - By Janet
    Valade)

    Can someone let me know if I am on the right track with these assumptions or
    answer any questions?

    1) I am assuming that because of the HTML tags, that this page is designed
    to return on a plain HTML page (without any site design features). Can I
    split up the code, and push it into the relevant areas so that the page
    returns within my design template?

    2) Concerning the initial array right after the <?php statement; this seems
    to be crafted by the author of the code, am I right to assume that I would
    have to change this "label_arra y" to represent the fields I have used on my
    form?

    3) Is this the type of form, where if a user input an error (characters not
    allowed by the ereg statement), will the program star "*" fields that are
    incorrectly filled or leave the user guessing?

    3a) How can the program be modified to star or otherwise indicate fields
    that need to be changed?

    4) Can anyone see any security issues in this form at present?

    5) I actually have one field "Username" where I will need to query my
    database, to ensure that the Username a user enters is not the same as one
    already in the database. I have read a little on MySQL injection, am I right
    in thinking that it is only where a form has to query a database, that a
    MySQL Injection attack can occur, or can they also occur when data is
    written to a database? Check out this article from PHP.NET:

    PHP: mysql_real_escape_string - Manual
    http://www.php.net/manual/en/function.mysql-real-escape-string.php
    Escapes special characters in a string for use in an SQL statement


    OK that's all I can think to ask for now, so if anyone can help a struggling
    newbie, blessings on you...

    Regards,
    C.B.


    Tags: None
    • Daniel
      #2
      Re: Confused About PHP!?

      It looks like the script keeps track of and then displays the names of
      the fields that are incorrect above the form. If you want to put a "*"
      next to bad fields then when it redisplays the form you will need to
      check the array of bad labels if the label is in that array display an
      * before the lable. I'm unclear about what you mean by split the code
      up. If you mean that your input elements are in different places than
      this example script then just cut and past the iinput elements into
      their correct places. Yes you would change the label array at the top
      of the code to fit your form but you will also need to change the form
      that it redisplays to include all of your fields. I did not notice any
      extra security measures but it does do a lot in the way of validation
      and restricting what characters can be used (I'm no expert but that
      should reduce your risk of SQL injection). If you're having trouble w/
      the php you can probably find JavaScript validators to do the same
      thing. If you try to add the validation to your page and then post the
      code if you have problems I'm sure someone will be able to help you.
      Cerebral Believer wrote:
      Hi folks,
      >
      I am creating a site in FrontPage, and want to use PHP to validate a form I
      have created, however I would like the return of the users input (which the
      user reviews to check for errors), to be in the same design or style which
      the rest of my site has been created in. I have found a script wich does the
      basics of what I want, but it needs a lot of modifying, and I have a few
      questions. Here is the script:
      >
      <?php
      /* Program name: checkRegInfo.ph p
      * Description: Program checks all the form fields for
      * blank fields and incorrect format.
      */
      ?>
      <html>
      <head><title>Re gistration Validation</title></head>
      <body>
      <?php
      /* set up array of field labels */
      $label_array = array ( "first_name " ="First Name",
      "middle_nam e" ="Middle Name",
      "last_name" ="Last Name",
      "phone" ="Phone");
      foreach ($_POST as $field =$value)
      {
      /* check each field except middle name for blank fields */
      if ( $value == "" )
      {
      if ($field != "middle_nam e")
      {
      $blank_array[$field] = "blank";
      }
      }
      elseif ($field == "first_name " or $field == "middle_nam e"
      or $field == "last_name" )
      {
      if (!ereg("^[A-Za-z' -]{1,50}$",$_POST[$field]) )
      {
      $bad_format[$field] = "bad";
      }
      }
      elseif ($field == "phone")
      {
      if(!ereg("^[0-9)( -]{7,20}(([xX]|(ext)|(ex))?[ -]?[0-9]{1,7})?$",$valu e))
      {
      $bad_format[$field] = "bad";
      }
      }
      }
      /* if any fields were not okay, display error message and form */
      if (@sizeof($blank _array) 0 or @sizeof($bad_fo rmat) 0)
      {
      if (@sizeof($blank _array) 0)
      {
      /* display message for missing information */
      echo "<b>You didn't fill in one or more required fields. You must
      enter:</b><br>";
      /* display list of missing information */
      foreach($blank_ array as $field =$value)
      {
      echo "&nbsp;&nbsp;&n bsp;{$label_arr ay[$field]}<br>";
      }
      }
      if (@sizeof($bad_f ormat) 0)
      {
      /* display message for bad information */
      echo "<b>One or more fields have information that appears to be
      incorrect. Correct the format for:</b><br>";
      /* display list of bad information */
      foreach($bad_fo rmat as $field =$value)
      {
      echo "&nbsp;&nbsp;&n bsp;{$label_arr ay[$field]}<br>";
      }
      }
      /* redisplay form */
      $first_name = $_POST['first_name'];
      $middle_name = $_POST['middle_name'];
      $last_name = $_POST['last_name'];
      $phone = $_POST['phone'];
      echo "<p><hr>
      <form action='checkRe gInfo.php' method='POST'>
      <center>
      <table width='95%' border='0' cellspacing='0' cellpadding='2' >
      <tr><td align='right'>< B>{$label_arra y['first_name']}:</br></td>
      <td><input type='text' name='first_nam e' size='65' maxlength='65'
      value='$first_n ame' </td>
      </tr>
      <tr><td align='right'>< B>{$label_arra y['middle_name']}:</br></td>
      <td><input type='text' name='middle_na me' size='65' maxlength='65'
      value='$middle_ name' </td>
      </tr>
      <tr><td align='right'>< B>{$label_arra y['last_name']}:</B></td>
      <td<input type='text' name='last_name ' size='65' maxlength='65'
      value='$last_na me'</td>
      </tr>
      <tr><td align='right'>< B>{$label_arra y['phone']}:</B></td>
      <td<input type='text' name='phone' size='65' maxlength='65'
      value='$phone'</td>
      </tr>
      </table>
      <p><input type='submit' value='Submit name and phone number'>
      </form>
      </center>";
      exit();
      }
      echo "Welcome";
      ?>
      </body></html>
      >
      (The code, with modifications, was from PHP & MySQL For Dummies - By Janet
      Valade)
      >
      Can someone let me know if I am on the right track with these assumptions or
      answer any questions?
      >
      1) I am assuming that because of the HTML tags, that this page is designed
      to return on a plain HTML page (without any site design features). Can I
      split up the code, and push it into the relevant areas so that the page
      returns within my design template?
      >
      2) Concerning the initial array right after the <?php statement; this seems
      to be crafted by the author of the code, am I right to assume that I would
      have to change this "label_arra y" to represent the fields I have used on my
      form?
      >
      3) Is this the type of form, where if a user input an error (characters not
      allowed by the ereg statement), will the program star "*" fields that are
      incorrectly filled or leave the user guessing?
      >
      3a) How can the program be modified to star or otherwise indicate fields
      that need to be changed?
      >
      4) Can anyone see any security issues in this form at present?
      >
      5) I actually have one field "Username" where I will need to query my
      database, to ensure that the Username a user enters is not the same as one
      already in the database. I have read a little on MySQL injection, am I right
      in thinking that it is only where a form has to query a database, that a
      MySQL Injection attack can occur, or can they also occur when data is
      written to a database? Check out this article from PHP.NET:
      >
      PHP: mysql_real_escape_string - Manual
      http://www.php.net/manual/en/function.mysql-real-escape-string.php
      Escapes special characters in a string for use in an SQL statement

      >
      OK that's all I can think to ask for now, so if anyone can help a struggling
      newbie, blessings on you...
      >
      Regards,
      C.B.

        Comment

        • Cerebral Believer
          #3
          Re: Confused About PHP!?

          Daniel,

          Thanks for your reply. I think I understandmost of what you have written.
          As for splitting the code up, well what I mean is my form is presented on a
          HTML page within a table, and I am curious to know whther PHP will realise
          what data to extract from the form when the user sends it. So really I want
          to present the form so that its design is consistent with the rest of my
          site, and also, if the form is redisplayed for any input errors to be
          corrected by the user, I would like the form to be displayed in like manner.

          Regards,
          C.B.

          "Daniel" <Curtis.DanielN @gmail.comwrote in message
          news:1158956005 .487022.46330@b 28g2000cwb.goog legroups.com...
          It looks like the script keeps track of and then displays the names of
          the fields that are incorrect above the form. If you want to put a "*"
          next to bad fields then when it redisplays the form you will need to
          check the array of bad labels if the label is in that array display an
          * before the lable. I'm unclear about what you mean by split the code
          up. If you mean that your input elements are in different places than
          this example script then just cut and past the iinput elements into
          their correct places. Yes you would change the label array at the top
          of the code to fit your form but you will also need to change the form
          that it redisplays to include all of your fields. I did not notice any
          extra security measures but it does do a lot in the way of validation
          and restricting what characters can be used (I'm no expert but that
          should reduce your risk of SQL injection). If you're having trouble w/
          the php you can probably find JavaScript validators to do the same
          thing. If you try to add the validation to your page and then post the
          code if you have problems I'm sure someone will be able to help you.
          Cerebral Believer wrote:
          >Hi folks,
          >>
          >I am creating a site in FrontPage, and want to use PHP to validate a form
          >I
          >have created, however I would like the return of the users input (which
          >the
          >user reviews to check for errors), to be in the same design or style
          >which
          >the rest of my site has been created in. I have found a script wich does
          >the
          >basics of what I want, but it needs a lot of modifying, and I have a few
          >questions. Here is the script:
          >>
          ><?php
          >/* Program name: checkRegInfo.ph p
          > * Description: Program checks all the form fields for
          > * blank fields and incorrect format.
          > */
          >?>
          ><html>
          ><head><title>R egistration Validation</title></head>
          ><body>
          ><?php
          > /* set up array of field labels */
          > $label_array = array ( "first_name " ="First Name",
          > "middle_nam e" ="Middle Name",
          > "last_name" ="Last Name",
          > "phone" ="Phone");
          > foreach ($_POST as $field =$value)
          > {
          > /* check each field except middle name for blank fields */
          > if ( $value == "" )
          > {
          > if ($field != "middle_nam e")
          > {
          > $blank_array[$field] = "blank";
          > }
          > }
          > elseif ($field == "first_name " or $field == "middle_nam e"
          > or $field == "last_name" )
          > {
          > if (!ereg("^[A-Za-z' -]{1,50}$",$_POST[$field]) )
          > {
          > $bad_format[$field] = "bad";
          > }
          > }
          > elseif ($field == "phone")
          > {
          > if(!ereg("^[0-9)( -]{7,20}(([xX]|(ext)|(ex))?[ -]?[0-9]{1,7})?$",$valu e))
          > {
          > $bad_format[$field] = "bad";
          > }
          > }
          > }
          > /* if any fields were not okay, display error message and form */
          > if (@sizeof($blank _array) 0 or @sizeof($bad_fo rmat) 0)
          > {
          > if (@sizeof($blank _array) 0)
          > {
          > /* display message for missing information */
          > echo "<b>You didn't fill in one or more required fields. You must
          >enter:</b><br>";
          > /* display list of missing information */
          > foreach($blank_ array as $field =$value)
          > {
          > echo "&nbsp;&nbsp;&n bsp;{$label_arr ay[$field]}<br>";
          > }
          > }
          > if (@sizeof($bad_f ormat) 0)
          > {
          > /* display message for bad information */
          > echo "<b>One or more fields have information that appears to be
          > incorrect. Correct the format for:</b><br>";
          > /* display list of bad information */
          > foreach($bad_fo rmat as $field =$value)
          > {
          > echo "&nbsp;&nbsp;&n bsp;{$label_arr ay[$field]}<br>";
          > }
          > }
          > /* redisplay form */
          > $first_name = $_POST['first_name'];
          > $middle_name = $_POST['middle_name'];
          > $last_name = $_POST['last_name'];
          > $phone = $_POST['phone'];
          > echo "<p><hr>
          > <form action='checkRe gInfo.php' method='POST'>
          > <center>
          > <table width='95%' border='0' cellspacing='0' cellpadding='2' >
          > <tr><td align='right'>< B>{$label_arra y['first_name']}:</br></td>
          > <td><input type='text' name='first_nam e' size='65' maxlength='65'
          > value='$first_n ame' </td>
          > </tr>
          > <tr><td align='right'>< B>{$label_arra y['middle_name']}:</br></td>
          > <td><input type='text' name='middle_na me' size='65'
          >maxlength='6 5'
          > value='$middle_ name' </td>
          > </tr>
          > <tr><td align='right'>< B>{$label_arra y['last_name']}:</B></td>
          > <td<input type='text' name='last_name ' size='65' maxlength='65'
          > value='$last_na me'</td>
          > </tr>
          > <tr><td align='right'>< B>{$label_arra y['phone']}:</B></td>
          > <td<input type='text' name='phone' size='65' maxlength='65'
          > value='$phone'</td>
          > </tr>
          > </table>
          > <p><input type='submit' value='Submit name and phone number'>
          > </form>
          > </center>";
          > exit();
          > }
          > echo "Welcome";
          >?>
          ></body></html>
          >>
          >(The code, with modifications, was from PHP & MySQL For Dummies - By
          >Janet
          >Valade)
          >>
          >Can someone let me know if I am on the right track with these assumptions
          >or
          >answer any questions?
          >>
          >1) I am assuming that because of the HTML tags, that this page is
          >designed
          >to return on a plain HTML page (without any site design features). Can I
          >split up the code, and push it into the relevant areas so that the page
          >returns within my design template?
          >>
          >2) Concerning the initial array right after the <?php statement; this
          >seems
          >to be crafted by the author of the code, am I right to assume that I
          >would
          >have to change this "label_arra y" to represent the fields I have used on
          >my
          >form?
          >>
          >3) Is this the type of form, where if a user input an error (characters
          >not
          >allowed by the ereg statement), will the program star "*" fields that are
          >incorrectly filled or leave the user guessing?
          >>
          >3a) How can the program be modified to star or otherwise indicate fields
          >that need to be changed?
          >>
          >4) Can anyone see any security issues in this form at present?
          >>
          >5) I actually have one field "Username" where I will need to query my
          >database, to ensure that the Username a user enters is not the same as
          >one
          >already in the database. I have read a little on MySQL injection, am I
          >right
          >in thinking that it is only where a form has to query a database, that a
          >MySQL Injection attack can occur, or can they also occur when data is
          >written to a database? Check out this article from PHP.NET:
          >>
          >http://www.php.net/manual/en/functio...ape-string.php
          >>
          >OK that's all I can think to ask for now, so if anyone can help a
          >struggling
          >newbie, blessings on you...
          >>
          >Regards,
          >C.B.
          >

            Comment

            Previous template Next
            Working...