I've been working with a PHP site and below is the code for my index page.. how can i check the data first before going to POST? can i do it with a javascript? if the textboxes are blank it will not POST and just give a message.. and How can make it better and more secured? anyone who could help me?

<head>
<title>Ayn Interactive</titlle>
</head>
<body>
<?php
session_start();

include("aynconfig.php");  

if (isset($_GET['action'])) {
    $action = $_GET['action'];}
else {
    $action = "Home";
}

switch($action){
    case "Log":
        include("Header.php");      
        if ($_POST['uname']==""){
                   echo "Please indicate a username";
                   echo "<script>function redirect(){window.location.replace('index.php?action=Home');}setTimeout('redirect();', 1000);</script>";}
                else{ 
                $connect = mysql_Connect($hostname,$username,$password) or die ("Could not connect to mysql server");
        $uname = $_POST['uname'];
        $passw = $_POST['passw'];

        $dbname=mysql_select_db($database);
        $query  = "SELECT * FROM users where uname=\"$uname\" and passw=\"$passw\"";

        $result = mysql_query($query) or die ("Query failed: " . mysql_error());

        if (mysql_num_rows($result) > 0) {
            echo "You are now Logged in";
            $_session['name'] = $uname;

                        echo $_session['name']; 
            }
        else {
            echo "You are not a valid user!";
            unset($uname);
            unset($passw);
            //unset($admin);
            echo "<script>alert('Invalid username')</script>";
            echo "<script>function redirect(){window.location.replace('index.php?action=Home');}setTimeout('redirect();', 1000);</script>";
        } 

        mysql_free_result($result);
        mysql_close($connect);
        }
        break;

    case "Home":
        if (isset($logged)) {

            }
        else{
                include("Header.php");

                echo "<center><br><form action=index.php?action=Log method=POST>"; 
                echo "<font face=haettenschweiler>Username&nbsp<input type=text name=uname><br>"; 
                echo "Password&nbsp<input type=password name=passw></font><br><br>";
                echo "<input type=submit value='Login'>&nbsp&nbsp<input type=reset value='Reset'></form>";

        }

        break;

    case "Comments":
        break;    
}

Edited 3 Years Ago by Dani: Formatting fixed

You can use Javascript to check if the text boxes actually have data, OR you can use PHP, OR you could use both.

My #1 rule when dealing with user input is that I always always always check that it is valid before I start doing anything with it.

So what do when I want to check if a form has passed data I do the following:

if(!isset($_POST['uname']) || $_POST['uname'] == '' || !isset($_POST['pword']) || $_POST['pword'] == ''){
     // do what I need to do to return to the form
}

Hi, first of all if you want to check the form before the POST have been made, you will have to do it on the client side, using javascript, or a flash app, anything that runs on client side.

As for the server side, first verify if the fost is really there, using the isset function before you verify if the POST is empty, because if there is no POST verifying if is empty on an non existing index will trow you an error. More, before adding the POST values to the database, you will need to escape the values, user the functions trim() and mysql_real_escape_string(), you can allways do a double check on the data types you're getting before insert the data to the database, this way you will garanty that you're getting the type of values you really what.

you may wanna get some information on XSS, SQL injection and other security measures to be taken so you can minimize the chances to be hacked.

by the way to check if the array value is empty or not you dont need to to use $_POST == ""; use the empty() function that will save you some processing cicles, and encrease your script performance.

To do a simple form validation its useful to use javascript:

<form action="contact.php?act=contact" method="POST" id="contactForm" name="contactForm">
<input type="text" name="txtNume">
.
.
<a href="javascript:contactForm.submit();" 
                        onclick="return checkContactForm(document.contactForm, $errorStr);">
<img src="images/buton_trimite.gif" alt="Trimite mesaj" width="46" height="16" border="0"></a>
</form>

// javascript function:
function checkContactForm(form, errorName)
{
    er = true;
    if(form.txtNume.value == "")
    {
        alert(errorName);
        er = false;
    }   
    return er;
}

it's just a part of the code ....

Edited 3 Years Ago by Dani: Formatting fixed

Thanks guys.. are my codes considered as server side scripting? how can i make it like a client side? silviuks, i tried the code i don't seem to understand how it works.. can you give me some other examples just small ones like this.. Thanks..

yes,PHP is a server side scripting language of course.The validation can be client side using javascript.the example just shows that before you can process the POST,it must be true in the javascript function that handles the validation.If all comes neat,the process will enter the POST page,otherwise it will return false and will go back in the pre-POST stage.You can also validate using PHP but I recommend to validate on same sides.

I think i can do the server side validation but im having problems with the client side using javascript. can you give a simple way to do it? I don't know how to prevent POST if the variables are null..

Will this work?

<script>
function validatevar(logidvar){
if logidvar =="" {
alert("Textbox empty");
}
}
</script>

<form action="index.php?log=1">
<input type="text" name="logidvar">
<input type="button" value="test" onclick=validatevar()>
</form>

try to add this to your example:

<script>
function validatevar(){
if form.logidvar.value =="" {
alert("Textbox empty");
return false;
}
return true;
}
</script>

<form name="form1" action="index.php?log=1">
<input type="text" name="logidvar">
<input type="button" value="test" onclick=return validatevar();>
</form>

it doesn't stop the POST method.. on the onclick event with the returning function, how does it stop the method? is there another way?

this the code

function declaration:
<title>Ayn Interactive 2008</titlle>
<script type="text/javascript">
   function validatevar(){
      if form.uname.value =="" {
         alert("Textbox empty");
         return false;
      }
         return true;
   }
</script>

</head>
<body>
<?php
session_start();

include("aynconfig.php");  

form:

echo "<center><br><form name=form1 action=index.php?action=Log method=POST>"; 
                echo "<font face=haettenschweiler>Username&nbsp<input type=text name=uname><br>"; 
                echo "Password&nbsp<input type=password name=passw></font><br><br>";
                echo "<input type=submit value='Login' onlick=return validatevar()>&nbsp&nbsp<input type=reset value='Reset'></form>";

both of them are in the same file under index.php

Edited 3 Years Ago by Dani: Formatting fixed

This article has been dead for over six months. Start a new discussion instead.