How to Secure and Handling variables

I've been working with a PHP site and below is the code for my index page.. how can i check the data first before going to POST? can i do it with a javascript? if the textboxes are blank it will not POST and just give a message.. and How can make it better and more secured? anyone who could help me?

Ayn Interactive

<?php
session_start();

include("aynconfig.php");

if (isset($_GET['action'])) {
$action = $_GET['action'];}
else {
$action = "Home";
}

switch($action){
case "Log":
include("Header.php");
if ($_POST['uname']==""){
echo "Please indicate a username";
echo "";}
else{
$connect = mysql_Connect($hostname,$username,$password) or die ("Could not connect to mysql server");
$uname = $_POST['uname'];
$passw = $_POST['passw'];

$dbname=mysql_select_db($database);
$query = "SELECT * FROM users where uname=\"$uname\" and passw=\"$passw\"";

$result = mysql_query($query) or die ("Query failed: " . mysql_error());

if (mysql_num_rows($result) > 0) {
echo "You are now Logged in";
$_session['name'] = $uname;

echo $_session['name'];
}
else {
echo "You are not a valid user!";
unset($uname);
unset($passw);
//unset($admin);
echo "";
echo "";
}

mysql_free_result($result);
mysql_close($connect);
}
break;

case "Home":
if (isset($logged)) {

}
else{
include("Header.php");

echo "
";
echo "Username
";
echo "Password

";
echo " ";

}

break;

case "Comments":
break;
}

bornok15

Junior Poster in Training

91 posts since Feb 2008

Reputation Points: 13

Solved Threads: 2

4 Years Ago

0

You can use Javascript to check if the text boxes actually have data, OR you can use PHP, OR you could use both.

My #1 rule when dealing with user input is that I always always always check that it is valid before I start doing anything with it.

So what do when I want to check if a form has passed data I do the following:

if(!isset($_POST['uname']) || $_POST['uname'] == '' || !isset($_POST['pword']) || $_POST['pword'] == ''){
     // do what I need to do to return to the form
}

JRSofty

Junior Poster in Training

69 posts since Dec 2007

Reputation Points: 16

Solved Threads: 10

4 Years Ago

0

Hi, first of all if you want to check the form before the POST have been made, you will have to do it on the client side, using javascript, or a flash app, anything that runs on client side.

As for the server side, first verify if the fost is really there, using the isset function before you verify if the POST is empty, because if there is no POST verifying if is empty on an non existing index will trow you an error. More, before adding the POST values to the database, you will need to escape the values, user the functions trim() and mysql_real_escape_string(), you can allways do a double check on the data types you're getting before insert the data to the database, this way you will garanty that you're getting the type of values you really what.

you may wanna get some information on XSS, SQL injection and other security measures to be taken so you can minimize the chances to be hacked.

miguelp

Newbie Poster

7 posts since Mar 2008

Reputation Points: 10

Solved Threads: 0

4 Years Ago

0

by the way to check if the array value is empty or not you dont need to to use $_POST['index'] == ""; use the empty() function that will save you some processing cicles, and encrease your script performance.

miguelp

Newbie Poster

7 posts since Mar 2008

Reputation Points: 10

Solved Threads: 0

4 Years Ago

0

To do a simple form validation its useful to use javascript:

. .

// javascript function:
function checkContactForm(form, errorName)
{
er = true;
if(form.txtNume.value == "")
{
alert(errorName);
er = false;
}
return er;
}

it's just a part of the code ....

silviuks

Junior Poster in Training

96 posts since Apr 2006

Reputation Points: 10

Solved Threads: 15

4 Years Ago

0

Thanks guys.. are my codes considered as server side scripting? how can i make it like a client side? silviuks, i tried the code i don't seem to understand how it works.. can you give me some other examples just small ones like this.. Thanks..

bornok15

Junior Poster in Training

91 posts since Feb 2008

Reputation Points: 13

Solved Threads: 2

4 Years Ago

0

yes,PHP is a server side scripting language of course.The validation can be client side using javascript.the example just shows that before you can process the POST,it must be true in the javascript function that handles the validation.If all comes neat,the process will enter the POST page,otherwise it will return false and will go back in the pre-POST stage.You can also validate using PHP but I recommend to validate on same sides.

ryan_vietnow

Posting Pro

578 posts since Aug 2007

Reputation Points: 28

Solved Threads: 71

4 Years Ago

0

I think i can do the server side validation but im having problems with the client side using javascript. can you give a simple way to do it? I don't know how to prevent POST if the variables are null..

Will this work?

bornok15

Junior Poster in Training

91 posts since Feb 2008

Reputation Points: 13

Solved Threads: 2

4 Years Ago

0

try to add this to your example:

<script>
function validatevar(){
if form.logidvar.value =="" {
alert("Textbox empty");
return false;
}
return true;
}
</script>

<form name="form1" action="index.php?log=1">
<input type="text" name="logidvar">
<input type="button" value="test" onclick=return validatevar();>
</form>

ryan_vietnow

Posting Pro

578 posts since Aug 2007

Reputation Points: 28

Solved Threads: 71

4 Years Ago

0

Thanks.. ill try this one now..

bornok15

Junior Poster in Training

91 posts since Feb 2008

Reputation Points: 13