validating form data with php

[Love2c0de]

Hello, I am trying to validate my form using php and would like some advice as this is the first time I have attempted this.

 

I have a script which runs when the user clicks the submit button. What I am trying to do is validate the user input before inserting it into the database.

This is the script:

[font=monospace]<?php
session_start();

$dbhandle = mysql_connect('localhost', 'root', '')
     or die("Unable to connect to MySQL");

$selected = mysql_select_db("commentdatabase",$dbhandle)
     or die("Could not select the database");

$name = check_input($_POST['fname']);  
$loc = check_input($_POST['loc']);  
$com = check_input($_POST['com']); 

function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
} 

$sql = "INSERT INTO userinfo (name, location, comment) VALUES ('{$name}','{$loc}','{$com}')";

if(!mysql_query($sql, $dbhandle)) {
     die('Error: ' . mysql_error());
}

header('Location: ../contact.php');

mysql_close();

?> [/font]

 

What's happening is that when it is submitted to the database, it is displaying < and > characters as < and >. Yet once being redirected with the header function the input is displayed with the < and > signs. I'm  not sure if the function in the action script is in the wrong place or not. I have tried moving it around above and below the post variables.

 

Just looking for a bit of advice really.

 

Thank you,

 

Regards,

 

BuNgLe

[creata.physics]

View the source, see if the characters are < and >

The issue won't be with the placement of the function. As long as the database contains the converted special html characters the database data is safe.

You'll also want to convert your single and double quotes for safe database insertion as well, so you may want to add mysql_real_escape_string() to your check_input() function.

[Love2c0de]

Yes in the page source as you say it is displaying the < and >.

 

Thank you for explaining that to me.

 

regarding the mysql_real_escape_string(), would I add that just before the return statement?

 

regards,

 

BuNgLe

 

[Love2c0de]

I added the mysql_real_escape_string() just above the return statement and below the htmlspecialchars() conversion. It converts double quotes but not single quotes. Without the mysql_real_escape_string() it returns a mysql error.

 

Regards,

 

BuNgLe

[creata.physics]

the mysql_real_escape_string() issue is that it doesn't have access to your db connection.

You could allow access to the db using global but most users here discourage the use of it.

You can go ahead and remove mysql_real_escape_string and replace:

$data = htmlspecialchars($data)

with:

$data = htmlspecialchars($data, ENT_QUOTES);

which will properly convert your single and double quotes.

[Love2c0de]

Ah thank you very much indeed, this works perfectly. With the JavaScript validation, I created a string of special characters, then checked the input against those characters, if matched would return invalid. I've just inputted some special characters with javascript disabled and they have been inserted without being converted to their correct code. Do I need to do the equivelent of the javascript code but with php code?

 

Kind regards,

 

LC