dimanche 28 décembre 2014

PHP Form Validation - Put it on the form or separate validation file with session variables?


Vote count:

0




I wish to ask whether I should put the PHP validation on the same HTML form, or a seperate file with session variables to display errors when I use header() to redirect to the form page if there are errors.


The main problem with putting them into session variables is that those errors stay even when closing the tab and coming back to the form (the browser has to close to reset).



<?php session_start() ?>
<!doctype html>
<html>

    <head>
        <meta charset="utf-8">
        <title>Login</title>
    </head>

    <body>
        <form action="formprocess.php" method="POST">
            <h1>Register For An Account!</h1></br>
            <?php echo $_SESSION['usernameerr']; ?>
            <p>Username: </p><input type="text" name="username"></br></br>
            <?php echo $_SESSION['passworderr']; ?>
            <p>Password: </p><input type="text" name="password"></br></br>
            <?php echo $_SESSION['emailerr']; ?>
            <p>E-mail Address</p><input type="text" name="email"></br></br>
            <input type="submit" name="Submit">
        </form>
    </body>

</html>


This is the php validation code:



<?php
session_start();
/*
 * VALIDATING FORM DATA
 */

// Setting validation variables and functions
$username = $password = $email = "";
$usernameerr = $passworderr = $emailerr = "";

function data_get($param){
    if(isset($_POST[$param])){
        $param = $_POST[$param];
    }
    return $param;
}

function sanitize_data($string){
    $sanitized_string = trim($string);
    $sanitized_string = strip_tags($sanitized_string);
    $sanitized_string = htmlspecialchars($sanitized_string);
    $sanitized_string = stripslashes($sanitized_string);
    return $sanitized_string;
}

// Validation of form data
if(data_get("Submit")){
    //Username validation
    if(empty(data_get("username")) || strlen(data_get("username"))>50){
        $usernameerr = "Please enter a valid username that is less than 50 characters long";
        $_SESSION['usernameerr'] = $usernameerr;
    }
    else{
        $username = sanitize_data(data_get("username"));
        $_SESSION['username'] = $username;
    }

    //Password validation
    if(empty(data_get("password")) || strlen(data_get("username")) > 50){
        $passworderr = "Please enter a valid password that is less than 50 characters long";
        $_SESSION['passworderr'] = $passworderr;
    }
    else{
        $password = password_hash(sanitize_data(data_get("password")), PASSWORD_DEFAULT);
        $_SESSION['password'] = $password;
    }

    //Email validation
    if(!filter_var(data_get("email"), FILTER_VALIDATE_EMAIL)){
        $emailerr = "Please enter a valid email";
        $_SESSION['emailerr'] = $emailerr;
    }
    else{
        $email = filter_var(data_get("email"), FILTER_SANITIZE_EMAIL);
        $_SESSION['email'] = $email;
    }
}

//Redirects to database handler
    if(empty($usernameerr) and empty($passworderr) and empty($emailerr)){
        header("Location: dbconn.php");
        exit;
    }
    else{
        header("Location: index.php");
        exit;
    }
?>


Also, did I handle the password encryption correctly? Or am I missing something very important that could hamper security? If everything went okay, I did a header() to the dbconn.php which would insert that into the database.


EDIT: By the way, I know I haven't added any regular expression checks, which I will add later on. This is just a test validation, and I plan on adding that later.



asked 1 min ago

Naz

69






PHP Form Validation - Put it on the form or separate validation file with session variables?
Publié par à
Libellés : , ,

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)