my database validation working; 'user' table not update if there registered user. however, $error_message variable not display the error message string. here code:
html/php:
// collect , validate user inputs if($_server["request_method"] == "post") { session_start(); $forename = trim(filter_input(input_post,"user_forename",filter_sanitize_string)); $surname = trim(filter_input(input_post,"user_surname",filter_sanitize_string)); $gender = trim(filter_input(input_post,"user_gender",filter_sanitize_string)); $email = trim(filter_input(input_post,"user_email",filter_sanitize_email)); $password = trim(filter_input(input_post,"user_password")); $city = trim(filter_input(input_post,"user_city")); $team = trim(filter_input(input_post,"user_team",filter_sanitize_string)); $bio = trim(filter_input(input_post,"user_bio",filter_sanitize_special_chars)); $human = trim(filter_input(input_post,"user_human",filter_sanitize_string)); $userexist = mysql_query("select * user u_email='$email'"); if($forename == "" || $surname == "" || $email == "" || $password == "" || $city == "" || $team == "" || $bio == "" || $human == "") { $error_message = "please fill in form fields"; } if (!isset($error_message) && !filter_var($email, filter_validate_email)) { $error_message = "$email not valid email address"; } if (!isset($error_message) && (mysql_num_rows($userexist) > 0)) { $error_message = "$email taken!"; } if(!isset($error_message)) { $sql = $db->query("insert user (u_forename, u_surname, u_gender, u_email, u_password, u_city, u_team, u_biography) values('{$forename}', '{$surname}', '{$gender}', '{$email}', '{$password}', '{$city}', '{$team}', '{$bio}')"); // header('location: index.php'); } } <div class="wrapper"> <h1>register, it's free!</h1> <div> <?php if (isset($error_message)) { echo "<h2>".$error_message."</h2>"; } ?> </div> no error message displayed after form has been submitted. moreover, not receiving php errors not sure problem.
any suggestions great.
thanks, james.
please remember mysqli , sql injection.
this extension deprecated in php 5.5.0, , removed in php 7.0.0. instead, mysqli or pdo_mysql extension should used.
mysqli::real_escape_string-- mysqli_real_escape_string — escapes special characters in string use in sql statement, taking account current charset of connection.note:: if no connection open,
mysqli_real_escape_string()return empty string!sql injection technique malicious users can inject sql commands sql statement, via web page input.
injected sql commands can alter sql statement , compromise security of web application.
<?php /* attempt mysql server connection. assuming running mysql server default setting (user 'root' no password) */ $conn = mysqli_connect("localhost", "root", "", "demo"); // check connection if($conn === false){ die("error: not connect. " . mysqli_connect_error()); } if(isset($_post['user_forename']) && strlen(trim($_post['user_forename']) > 0)) { } else { $error_message = "please enter forename"; } if(isset($_post['user_surname']) && strlen(trim($_post['user_surname']) > 0)) { $surname = trim($_post['user_surname']); } else { $error_message = "please enter surname"; } if(isset($_post['user_gender']) && strlen(trim($_post['user_gender']) > 0)) { $gender = trim($_post['user_gender']); } else { $error_message = "please enter gender"; // if input field. } if(isset($_post['user_email']) && strlen(trim($_post['user_email']) > 0)) { if(filter_var(trim($_post['user_email']), filter_validate_email)) { $mail = trim($_post['user_gender']); } else { $error_message = "please enter valid email"; } } else { $error_message = "please enter email"; } if(isset($_post['user_password']) && strlen(trim($_post['user_password']) > 0)) { $password = trim($_post['user_password']); } else { $error_message = "please enter password"; } if(isset($_post['user_city']) && strlen(trim($_post['user_city']) > 0)) { $city = trim($_post['user_city']); } else { $error_message = "please enter city"; } if(isset($_post['user_bio']) && strlen(trim($_post['user_bio']) > 0)) { $bio = trim($_post['user_bio']); } else { $error_message = "please enter biography"; } // escape user inputs security $forename = mysqli_real_escape_string($conn, $forename); $surname = mysqli_real_escape_string($conn, $surname); $gender = mysqli_real_escape_string($conn, $gender); $email = mysqli_real_escape_string($conn, $email); $password = mysqli_real_escape_string($conn, $password); $city = mysqli_real_escape_string($conn, $city); $team = mysqli_real_escape_string($conn, $team); $bio = mysqli_real_escape_string($conn, $bio); // checking existing email if ($emailcheckquery = mysqli_query($conn, "select * user u_email='$email'")) { if(mysqli_num_rows($emailcheckquery) > 0) { $error_message = "email taken!"; } } if(!isset($error_message)) { // attempt insert query execution $insertsql = "insert persons (u_forename,u_surname,u_gender, u_email,u_password,u_city,u_team,u_biography) values ('$forename', '$surname','$gender',$email,$password,$city,$team,$biography)"; if(mysqli_query($conn, $sql)){ echo "records added successfully."; } else{ echo "error: not able execute $sql. " . mysqli_error($link); } } // close connection mysqli_close($conn); ?> <div class="wrapper"> <h1>register, it's free!</h1> <div> <?php if (isset($error_message)) { echo "<h2>".$error_message."</h2>"; } ?> </div> </div> 
Comments
Post a Comment