Database is updated before form data sanitation is complete

[Einston]

Hallo everyone.

Thanks for a great website. I have been trying for a few days to get a safe, working php form that saves input to mysql.

I have looked at several examples from different websites. 

The problem is that the form values are being stored to the database before the form validation process is complete.

I have tried wrapping the process.php code in a function and only calling the function after the validation code is done and implemented some checks in a desperate attempt to resolve the matter using some global variables and a function that checks if the validation has done their work. But even with all this.. the user input is written to the database before validation is complete.

for example.. if the user inputs his name with a preceding space, and submits the form, the preceding space ends up in the database. also a user can press the submit button multiple times and with every press, the information is stored to the database.. I imagine someone could write code to click that submit button millions of times until my server storage space runs out..

Any help would be much appreciated.

Thanks.

Einston

I only have two files.. currently: 1: index.php and 2: testreqfields.php

<html>    
    <head>    
    <title>Registration Form</title>    
    </head>    
    <body> 

		<?php
		$inputisgood = false;
		$nameisgood = false;
		$surnameisgood = false;
		$emailisgood = false;
		$passwordisgood = false;
		include "testreqfields.php";
		?>
	
        <link href = "registration.css" type = "text/css" rel = "stylesheet" />    
        <h2>Sign Up</h2>    
        <form name = "form1" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method = "post" enctype = "multipart/form-data" >   
            <div class = "container"> 	
                <div class = "form_group">    
                    <label>First Name:</label>    
                    <input type = "text" name = "name" value = "<?php echo $name;?>" required/> 
					<span class="error">* <?php echo $nameErr;?></span>
                </div>    
                <div class = "form_group">    
                    <label>Surname:</label>    
                    <input type = "text" name = "surname" value = "<?php echo $surname;?>" required/> 
					<span class="error">* <?php echo $surnameErr;?></span>
                </div>    
                <div class = "form_group">    
                    <label>Email:</label>    
                    <input type = "text" name = "email" value = "<?php echo $email;?>" required/> 
					<span class="error">* <?php echo $emailErr;?></span>
                </div>    
                <div class = "form_group">    
                    <label>Password:</label>    
                    <input type = "password" name = "pwd" value = "<?php echo $pwd;?>" required/> 
					<span class="error">* <?php echo $pwdErr;?></span>
                </div>
				<div class = "form_group">    
                    <label>Gender:</label>    
                    <input type="radio" name="gender" value="female">Female 
					<input type="radio" name="gender" value="female">Male
                </div>
       
                <input type = "submit" name = "enq_submit" value = "Submit" />   
				
            </div>    
        </form>    
    </body>    
</html>    

<?php

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

function sql_process() {
	
	//reset the global variable to be sure all code run again if there are errors in input. 
	global $inputisgood;
	$inputisgood = false;
	   //establish connection
	   $servername = "localhost";  
	   $config = parse_ini_file('../db_credentials/config.ini');
		
		//create the connection
       $conn = mysqli_connect ($servername, $config['username'], $config['password'], $config['dbname']);
	   
	   //check connection
	   if (!$conn){
        die('Could not connect: ' . mysqli_connect_error());
	   }
       $sql = mysqli_select_db ($conn, $config['dbname']) or die("unable to connect to database");
	
	//process
    if (isset($_POST['enq_submit'])){
        $reg_name = $_POST['name'];
        $reg_surname = $_POST['surname'];
        $reg_email = $_POST['email'];
        $reg_pwd = $_POST['pwd'];
		
		$sql = "INSERT INTO registration (reg_name, reg_surname, reg_email, reg_pwd)
                VALUES ('$reg_name', '$reg_surname', '$reg_email', '$reg_pwd')";
		echo("You have been signed up.");
		
		if (!mysqli_query($conn,$sql)){
            die('Error: ' . mysqli_error($conn));	
		}			
    } else {
        echo("Kindly use the form to sign up:");
    };
}


function ready_to_process () {
	
	global $nameisgood, $surnameisgood, $emailisgood, $passwordisgood, $inputisgood;
		
	if ($nameisgood) {
		echo ("##Name is good");
	}
	if ($surnameisgood) {
		echo ("##Surnameame is good");
	}
	if ($emailisgood) {
		echo ("##Email is good");
	}
	if ($passwordisgood) {
		echo ("##Password is good");
	}

	if ($nameisgood and $surnameisgood and $emailisgood and $passwordisgood) {
		echo ("##All input is good!");
		$inputisgood = true;
		$nameisgood = $surnameisgood = $emailisgood = $passwordisgood = false;
	}
}

// define variables and set to empty values
$nameErr = $surnameErr = $emailErr = $pwdErr  = "";
$name = $surname = $email = $pwd = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
 
 if (empty($_POST["name"])) {
    $nameErr = "Name is required";
  } else {
    $name = test_input($_POST["name"]);
	if (!preg_match("/^[a-zA-Z ]*$/",$name)) {
      $nameErr = "Only letters and spaces allowed";
	} else {
	 $nameisgood = true;		
	}  
  }

  if (empty($_POST["surname"])) {
    $surnameErr = "Surname is required";
  } else {
    $surname = test_input($_POST["surname"]);
	if (!preg_match("/^[a-zA-Z ]*$/",$surname)) {
      $surnameErr = "Only letters and spaces allowed"; 
	} else {
	 $surnameisgood = true;
	}
  }

  if (empty($_POST["email"])) {
    $emailErr = "Email is required";
  } else {
    $email = test_input($_POST["email"]);
	if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
      $emailErr = "Invalid email format"; 
	} else {
	$emailisgood = true;
	}
  }

  if (empty($_POST["pwd"])) {
    $pwdErr = "Password is required";
  } else {
    $passwordisgood = true;
  }
  
  ready_to_process();
  if ($inputisgood) {
	  sql_process();
  }  

}
?>

 

 

 

[dsonesuk]

You are going through all the process of trimming, converting to encoded character  etc with test_input function(), then you use the untested post values to insert into database?

You have over complicated $inputisgood functionality, just set to true at beginning after if ($_SERVER["REQUEST_METHOD"] == "POST") {..} then as it goes through testing and there is a error reset it to false. As long as it passes all these validation processes it will remain true, so when it reaches if ($inputisgood) {....} it will then go ahead to add the values that have been tested and cleaned etc to insert into the database.

[Einston]

Hi.

Thanks for the reply.

So if I understand correctly.. I call the test_input() function and it checks and fixes input, and return the results. The results are then assigned to the variables  $name, $surname, $email, $pwd and then I call ready_to_process() and it does it's job, and set $inputisgood to true. Then I call sql_process() and use the original unchecked, unprocessed (original values that the user input on the form) values $_POST['name'], $_POST['surname'] etc.. to write to the database. In other words, I never updated the actual values in POST array?

Thanks a lot.