1

I have a form and am trying to add some basic security and validation to it:

I'm trying to create an $error variable to display error messages if fields are left blank.

Currently if I leave the name field and the radio button empty, I am only seeing an error message relating to the empty radio button and not the empty name field.

I am trying to keep this form as simple as possible, but just want to add some basic security and validation.

Can anybody help?

Her's my HTML form:

<?php
if(@$_REQUEST['submit'] == '1') {
    include('assets/forms/rsvp.php');
}
?>

        <form action="?" method="post">
            <?php if(@$errors) :?>
                <p class="errors"><?php echo $errors; ?></p>
            <?php endif; ?>
            <input type="hidden" name="submit" value="1" />
            <div class="form-row">
                <div class="field-l">
                    <p>Name</p>
                </div>
                <div class="field-r">
                    <p>Attending?</p>
                </div>
            </div>
            <div class="form-row guest">
                <div class="field-l">
                    <input type="text" name="name[0]" id="name" value="" tabindex="1" />
                </div>
                <div class="field-r">
                    <input type="radio" name="coming[0]" id="coming-yes" class="coming-yes" value="Yes"><label for="coming-yes">Yes</label><input type="radio" name="coming[0]" id="coming-no" class="coming-no" value="No"><label for="coming-no">No</label>
                </div>
            </div>
            <a class="addguest" href="#">Add further guest</a>
            <div class="form-row">
                <button type="submit" id="rsvp-submit" tabindex="2">Submit RSVP</button>
            </div>
        </form>

Here's my form process code:

<?php

//echo "<pre>" . print_r($_POST, true) . "</pre>"; die();

if (isset($_POST['name'])) {
    $name = strip_tags(trim($_POST['name']));
}
if (isset($_POST['coming'])) {
    $coming = strip_tags(trim($_POST['coming']));
}

$errors = "";
if(!@$_POST['name'])    { $errors .= "Please enter your name.<br/>\n"; }
if(!@$_POST['coming'])  { $errors .= "Please enter yes or no for attending.<br/>\n"; }

if(@$_POST['emailaddress'] != '')   { $spam = '1'; }

if (!$errors && @$spam != '1')
    {
        $to = "[email protected]";
        $subject = "Wedding RSVP";
        $headers = "From: [email protected]";
        $body = "The following RSVP has been sent via the website.\n\n";
        for($i=0; $i < count($_POST['name']); $i++) {
            $body .= "
            Name ".($i+1)." : " . $_POST['name'][$i] . "\n
            Coming ".($i+1)." : " . $_POST['coming'][$i] ."\n\n";
        }
        $body .= "\n\nDate Received: " . date("j F Y, g:i a") . "\n";

        mail($to,$subject,$body,$headers);
    }

?>
Improve this question
2
  • 1
    remove all the error suppression @ from your code and start working through the errors Commented Apr 19, 2017 at 22:10
  • With the possible exception (no pun intended) of a few built in I/O functions, you should not use the error suppression symbol Commented Apr 19, 2017 at 22:13

3 Answers 3

Reset to default
1

Your problem is that you're sending these POST variables as an array, but treating them like a string. You need to loop through each one individually:

<?php
$errors = "";
foreach ($_POST["name"] as $index=>$name) {
    if (empty($name)) {
        $errors .= "Name missing from entry $index.<br/>\n";
    }
}
foreach ($_POST["coming"] as $index=>$coming) {
    if (empty($coming)) {
        $errors .= "Please enter attendance for entry $index.<br/>\n";
    }
}

if ($errors === "") {
    $to = "[email protected]";
    $subject = "Wedding RSVP";
    $headers = "From: [email protected]";
    $body = "The following RSVP has been sent via the website.\n\n";
    foreach($_POST["name"] as $i=>$name) {
        $coming = $_POST["coming"][$i];
        $num = $i + 1;
        $body .= "Name $num : $name\nComing $num : $coming\n\n";
    }
    $body .= "\n\nDate Received: " . date("j F Y, g:i a") . "\n";

    mail($to,$subject,$body,$headers);
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Using empty() would be enough to check.

if(empty($_POST['field'])){
 //Your code//
}

And for more security use strlen()

if(strlen($_POST['field']) == 0){
 //Your code//
}

combine both if(strlen($field) < 0 || empty($field)){//code}

Improve this answer

8 Comments

strlen offers no "security," and will trigger notices if the array index does not exist. Your first suggestion is fine.
This works great if all fields have been left blank, but if somebody hits 'add further guest' fills in one name and yes/no row, but leaves the second one blank i still get the error messages. Not sure if there is a way around this...
@miken32 Isn't it usually used in forms validation to ensure the length of the entries? Please i'm concerned about why doesn't it offer any security.
I tried changing out to if(empty($_POST['name'])) { $errors .= "Please enter your name<br/>"; } but this doesn't seem to return an error message when the 'name' field is left blank...
empty() checks for an unset variable or index, or if it is set, for content that evaluates to boolean false (i.e. 0 or ''). empty($foo) is the same as !isset($foo) || strlen($foo) === 0 || $foo === "0" || $foo === 0 || $foo === false
|
-1

if(strlen($_POST['name']) == 0 ){

$errors = "Please enter your name";

}
// strlen() == 0 means the name field is empty

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.