PHP - - Is It A Potential Security Risk To Leave Form Inputs Without Values If I'm Only Checking Isset?

How is it possible, in PHP, to display an error message next to a form input text field if a user is attempting to submit a form with empty fields? Moreover, how is it possible to remove the same error message when the user fills in the input field with the required data and/or refreshes the page?

I have 2 files that I am working with: application.php and process.php.

application.php mainly has the HTML of the form.
process.php has the PHP for processing and validating the form.

I am very new to learning PHP (I started learning it last week) and I have been searching for hours for a clear answer. I have already tried different methods for generating the error message including: using empty(), !isset, $_POST["name"] = "", etc, and have tried using session_start();, $row, echo, print, and other variables to try and display error message on the page, and I have tried using unset();, and = null, to try and remove the error message once the input field has been filled but all to no avail. Either the method I try only half works, or nothing works, and I cannot pinpoint which is the part that is not working.

I only have 2 files to work with, and as an example of what I want to do is:

1. If the first name field is empty when the user clicks submit, an error message should appear next to the input.
2. If the user fills in the input and clicks submit, the form should be processed and added to the database.
3. When the user returns to the application to page to fill in another application form, the error message should not appear.

Is this possible with PHP?

Hi!
I have this to check if now is between start time and end time:


[date_default_timezone_set('Europe/Belgrade');



$TimeNow = date("H:i" ,time());
$today_date = date('d-m-y');
$GetTimeTable = "SELECT * FROM timetable WHERE username='$username' AND Subject_date='$today_date'";
$ConnectTimeTable = $database->query($GetTimeTable);
$TimeTable = mysql_fetch_array($ConnectTimeTable);

$Subject = $TimeTable['Subject'];

$Start_time = $TimeTable['Start_Time'];
$End_time = $TimeTable['End_Time'];

?><br><?



if($TimeNow >= $Start_time && $TimeNow <= $End_time){
echo "Current Class: ";
echo $Subject;
echo "<br><br>";
// a START time value
$start = $TimeNow;
// an END time value
$end   = $End_time;

// what is the time difference between $end and $start?
if( $diff=@get_time_difference($start, $end) )
{
  echo "Time left: " .
       sprintf( '%02d:%02d', $diff['hours'], $diff['minutes'] );
}
else
{
  echo "Hours: Error";
}



}
else{
echo "No class. :)";
}


Start time and end time is displayed in the format like 14:26.

For some reason this code doesn't work though, I don't get why.

Hello ,   I am trying to update a record in my table if the particular value exists in the rows of a table. But my if-else not working properly. I am not getting where i am going wrong.   here is my table authorization, where i define authorization % with min and max.  authorisation.JPG   16.83KB   0 downloads   after adding line items, before display i will check whether any one of the line item discount lies within this min and max and also checks whether authorization is required (required='Yes'/'No')  for that discount in my authorization table.  If authorization required then i will update that order number as authorized.    here is my line items table    line_items.JPG   20.37KB   0 downloads   I am doing like this

while($row=mysql_fetch_array($query))
{
$dis1 = "SELECT auth_id, auth_min, auth_max, required FROM sales_authorisation";
$dis2 = mysql_query($dis1) or die (mysql_error());

while($d1 = mysql_fetch_array($dis2))
{
	$min = $d1['auth_min'];
	$max = $d1['auth_max'];
	$req = $d1['required'];
	//echo $req;
	
if( ($min <= ($row['discount'])) && ($max >= ($row['discount'])) && ($req='Yes'))
{
$auth = "UPDATE orders SET authorise='No' WHERE order_id=".$order_id."";
echo "hello";
}
else
{

$auth = "UPDATE orders SET authorise='Yes' WHERE order_id=".$order_id."";

}
$auth1 = mysql_query($auth) or die (mysql_error());

}

?> 

<tr> 
<td><?php echo $counter++; ?></td>
<td><?php echo $row['itemname']; ?> - <?php echo $row['uom']; ?></td>
<td><?php echo $row['description']; ?></td>
<td><?php echo $row['quantity']; ?></td>
<td><?php echo number_format($row['selling_price'],2); ?></td>
<td><?php echo $row['discount']; ?> %</td>
<td><?php echo $row['tname']; ?>-<?php echo $row['rate']; ?> %</td>
<td><?php echo $row['freight']; ?></td>
<td><?php echo number_format($row['total'],2); ?></td>
 
 </tr> 

While loop is for displaying line items for the order.   But my if condition doesn't works . Not getting how to do it. please suggest       

i retrieving an adid from $_GET which is also a value retireved from a database.
Code: [Select]
$this_adid=$_GET['adid'];
    if(empty($this_adid))
{
    $get_ad_id = mysql_query("SELECT userid FROM ads WHERE adid='$this_adid'", $con) or die("Error Getting AD ID: ".mysql_error());
   while($get_ad_id_results = mysql_fetch_assoc($get_ad_id)) { $owner_id=$get_ad_id_results['userid']; }
}
the above query works if  $this_adid returns 0 (http://www.website.com/?do=delete&adid=0&givenuserid=15773) i.e. adid is 0 in the table.

But it does not work if $this_adid returns null or ntohin (http://www.website.com/?do=delete&adid=&givenuserid=15773) .i.e adid is ' ' (empty) field in the databse table..

can someone tell me why it does not check for null or empty values properly?

Since there have been some debates about how to safely pass PHP values to JavaScript, I hope I can clarify a few things.   One suggestion that kept recurring was to simply run the value through json_encode() and then inject the result into a script element. The JSON-encoding is supposed to (magically?) prevent cross-site scripting vulnerabilities. And indeed it seemingly works, because naïve attacks like trying to inject a double quote will fail.   Unfortunately, this approach doesn't work at all and is fundamentally wrong for several reasons: json_encode() was never intended to be a security function. It simply builds a JSON object from a value. And the JSON specification doesn't make any security promises either. So even if the function happens to prevent some attack, this is implementation-specific and may change at any time. JSON doesn't know anything about HTML entities. The encoder leaves entities like &quot; untouched, not realizing that this represents a double quote which is dangerous in a JavaScript context. The json_encode() function is not encoding-aware, which makes it extremely fragile and unsuitable for any security purposes. Some of you may know this problem from SQL-escaping: There used to be a function called mysql_escape_string() which was based on a fixed character encoding instead of the actual encoding of the database connection. This quickly turned out to be a very bad idea, because a mismatch could render the function useless (e. g. the infamous GBK vulnerability). So back in 2002(!), the function was abandoned in favor of mysql_real_escape_string(). Well, json_encode() is like the old mysql_escape_string() and suffers from the exact same issues. Any of those issues can be fatal and enable attackers to perform cross-site scripting, as demonstrated below.       1)   The entire “security” of json_encode() is based on side-effects. For example, the current implementation happens to escape forward slashes. But the JSON standard doesn't mandate this in any way, so this feature could be removed at any time (it can also be disabled at runtime). If it does get disabled, then your application is suddenly wide open to even the most trivial cross-site scripting attacks:

<?php

header('Content-Type: text/html; charset=UTF-8');

$input = '</script><script>alert(String.fromCharCode(88, 83, 83));</script><script>';

?>
<!DOCTYPE HTML>
<html>
    <head>
        <meta charset="utf-8">
        <title>XSS</title>
    </head>
    <body>
        <script>
            var x = <?= json_encode($input, JSON_UNESCAPED_SLASHES) ?>;
        </script>
    </body>
</html>

2)   In XHTML, a script element works like any other element, so HTML entities like &quot; are replaced with their actual characters (in this case a double quote). But JSON does not recognize HTML entities, so an attacker can use them to bypass json_encode() and inject arbitrary characters:

<?php

header('Content-Type: application/xhtml+xml; charset=UTF-8');

$input = "&quot;;alert('XSS');&quot;";

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>XSS</title>
        <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
    </head>
    <body>
        <script type="text/javascript">
            var x = <?= json_encode($input) ?>;
        </script>
    </body>
</html>

3)   json_encode() blindly assumes that the input and the output should always be UTF-8. If you happen to use a different encoding, or if an attacker manages to trigger a specific encoding, you're again left with no protection at all:

<?php

header('Content-Type: text/html; charset=UTF-7');

$input = '+ACIAOw-alert(+ACI-XSS+ACI)+ADsAIg-';

?>
<!DOCTYPE HTML>
<html>
    <head>
        <meta charset="utf-7">
        <title>XSS</title>
    </head>
    <body>
        <script>
            var x = <?= json_encode($input) ?>;
        </script>
    </body>
</html>

(This particular example only works in Internet Explorer.)       I hope this makes it very clear that json_encode() is not a security feature in any way. Relying on it is conceptually wrong and simply a very bad idea.   It's generally not recommended to inject code directly into a script element, because any mistake or bug will immediately lead to a cross-site scripting vulnerability. It's also very difficult to do it correctly, because there are special parsing rules and differences between the various flavors of HTML. If you try it, you're asking for trouble.   So how should one pass PHP values to JavaScript? By far the most secure and robust approach is to simply use Ajax: Since Ajax cleanly separates the data from the application logic, the value can't just “leak” into a script context. This is essentially like a prepared statement.   If you're into micro-optimization and cannot live with the fact that Ajax may need an extra request, there's an alternative approach by the OWASP: You can JSON-encode the data, HTML-escape the result, put the escaped content into a hidden div element and then parse it with JSON.parse():

<?php

header('Content-Type: text/html; charset=UTF-8');

$input = 'bar';

?>
<!DOCTYPE HTML>
<html>
    <head>
        <meta charset="utf-8">
        <title>XSS</title>
        <style>
            .hidden {
                display: none;
            }
        </style>
    </head>
    <body>
        <div id="my-data" class="hidden">
            <?php
                $json_object = json_encode(array(
                    'foo' => $input,
                ));

                // HTML-escape the JSON object
                echo htmlspecialchars($json_object, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
            ?>
        </div>
        <script>
            var data = JSON.parse(document.getElementById('my-data').innerHTML);
            
            alert('The following value has been safely passed to JavaScript: ' + data.foo);
        </script>
    </body>
</html>

Hello,   I am trying to check whether the values in rows are equal or same?   I have two tables orders and line_items.  I will store more than 1 line items in line_items table with the same order_id getting from orders table. In line items if i have 3 line items for same order_id, when each line items gets dispatched i will set the status to 'Dispatched' in line_items table. When all the 3 becomes 'Dispatched', i will update the order status as 'Completed' in orders table.    Now i am not getting how to check whether all the 3 line items status id 'Dispatched'.   I tried doing like this  

$q1 = "select orders.order_id, orders.item_status as istatus, orders.status as ostatus, orders.authorise, line_items.order_id, line_items.status as bstatus, COUNT(line_items.id) as bid from orders inner join line_items on orders.order_id=line_items.order_id where line_items.order_id=".$id." AND line_items.id<>'Dispatched'";




$q2 = mysql_query($q1);
while($q3 = mysql_fetch_array($q2))
{
echo $q3['bstatus'];
if($q3['bstatus']=='');
{
echo "HELLLOOOO";
}
}

But its not working. It goes into if loop even if a single value is 'Dispatched'   Please help me.          

Hi there,

I am working on a PHP web form.

There is simple textbox where users can enter countries.

If the user enters any of the European countries for example Spain, Germany or Italy then the web page must echo ' You entered a European country. The code I am using is:

switch ($txtCountry) { 
            case 'Germany' || 'Spain' || 'Belgium' || 'Cyprus' || 'Estonia': 
            echo "You entered a European Country";
            break; 

            case 'Japan': 
            echo "You entered a Far Eastern Country";
            break;                 

            default: 
            echo "Unknown Country";
            break; 
        }

Now the problem is even if I enter a different country like Japan, it goes to the first Case: i.e. 'You entered a European Country'

Whats the best way to use Switch case to check multiple values. Is my Syntax correct or do I need to use single quote of double quote here.

Please reply.

Thank you!

I have a form that is supposed to use PHP to display errors next to incomplete form fields when the form is submitted.

But I am never getting into my PHP loop.

I tried using the print_r(true) function to debug, but no luck.

When I click submit I see this i the URL...

http://localhost/00_MyWebSite/zzEmptyPHP.php?firstName=&lastName=&submit=Process+Order&submitted=true

which is what I would expect on a blank form being submitted.

Here is my code...

Code: [Select]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link type="text/css" rel="stylesheet" href=".css">
<style type="text/css" >
form{
width: 400px;
margin: 0 auto;
}
</style>
</head>
<body>
<?php
// Initialize.
$errors = array();
$errors['firstName'] = '';
$errors['lastName'] = '';
$firstName = $lastName = '';

echo "print_r = " . print_r(true);

if (isset($_POST['submit'])){
// Handle Form.

// Trim all incoming data.
$trimmed = array_map('trim', $_POST);

// Check First Name.
if (preg_match('/^[A-Z\'.-]{2,20}$/i', $_POST['firstName'])){
$firstName = $_POST['firstNamae'];
}else{
$errors['firstName'] = 'Please enter your First Name.';
}

// Check Last Name.
if (preg_match('/^[A-Z\'.-]{2,20}$/i', $_POST['lastName'])){
$lastName = $_POST['lastName'];
}else{
$errors['lastName'] = 'Please enter your Last Name.';
}

// if there are errors then go back to the form and display them
}else{

}
?>
<form action="">
<fieldset>
<legend>Billing Details</legend>
<ol>
<li>
<label for="firstName">First Name:</label>
<input id="firstName" name="firstName" class="text" type="text" />
<?php echo $errors['firstName']; ?>
</li>
<li>
<label for="lastName">Last Name:</label>
<input id="lastName" name="lastName" class="text" type="text" />
<?php echo $errors['lastName']; ?>
</li>
</ol>
<input type="submit" name="submit" value="Process Order" />
<input type="hidden" name="submitted" value="true" />
</fieldset>
</form>
</body>
</html>

Any ideas what I am doing wrong?

Thanks,


Debbie

Hey Guys,

Im working with a form and need some help.

So at the moment i have got it working so that if the user doesn't select the values from the drop down list, an error will occur saying 'Please select all fields'.

What i want to do now is make it so that if this error occurs, the value of the drop down list will stay as it is an NOT reset. Could someone help me out?

* Note that the code below is currently ok, basically it checks if there is a value, if not it will say "Select Player".

Code: [Select]

<td>Prop</td>
    <td><select name="prop1" style="width: 150px">
<option value="<? echo $row['prop1']; ?>"><? if (empty($row['prop1'])) { echo "Select Player"; } else { echo $row['prop1'];  } ?></option>
<?php echo $option_str; ?>
    </select></td>
    <td>16.</td>
    <td><select name="r16" style="width: 150px">
<option value="<? echo $row['r16']; ?>"><? if (empty($row['r16'])) { echo "Select Player"; } else { echo $row['r16'];  } ?></option>
      <?php echo $option_str; ?>
    </select></td>

Hi all,
Hoping someone can help with what i would guess is a very simple problem.

I have the following code which is suppose to display a form. the form posts to itself and uses isset and if the form has been posted it doesnt display the form.

if (isset($_POST['submit'])) {

echo "question submitted successfully";
}
else {
          echo '<form method="post" name="qanda" id="qanda" action="http://' . $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"] . '">';
          echo '<p><label for="name">Name</label> <input type="text" id="name" /></p>';
          echo '<p><label for="e-mail">E-mail</label> <input type="text" id="e-mail" /></p>';
          echo '<p><label for="Question">Question</label>  <textarea rows="6" id="question"></textarea></p>';
          echo '<p class="submit"><input type="submit" value="Submit" /></p></form>';
  }

this currently doesnt work.

Extra things you might need to know is that this script/form is an included file in a dynamic site which also uses the rewrite module which is why I am using http://' . $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"] just incase that makes a difference.

I'm working on an online php program that can have a few hundred form inputs. Mainly just numbers  from 1 to 50,000 depending on the field. I wanted to use cookies so the user can keep the data entered on their browser but i found out the hard way that the browsers have a limitation that I've exceeded. Does anyone have any ideas?     

Hello, I have coded a contact form in PHP and I want to know, if according to you, it is secure! I am new in PHP, so I want some feedback from you.

Moreover, I have also two problems based on the contact form. It is a bit complicated to explain, thus, I will break each of my problem one by one.

FIRST:The first thing I want to know, is if my contact form secure according to you:

The HTML with the PHP codes:

Code: [Select]
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {

//Assigning variables to elements
$first = htmlentities($_POST['first']);
$last = htmlentities($_POST['last']);
$sub = htmlentities($_POST['subject']);
$email = htmlentities($_POST['email']);
$web = htmlentities($_POST['website']);
$heard = htmlentities($_POST['heard']);
$comment = htmlentities($_POST['message']);
$cap = htmlentities($_POST['captcha']);

//Declaring the email address with body content
$to = 'alithebestofall2010@gmail.com';
$body ="First name: '$first' \n\n Last name: '$last' \n\n Subject: '$sub' \n\n Email: '$email' \n\n Website: '$web' \n\n Heard from us: '$heard' \n\n Comments: '$comment'";

//Validate the forms
if (empty($first) || empty($last) || empty($sub) || empty($email) || empty($comment) || empty($cap)) {
echo '<p class="error">Required fields must be filled!</p>';
header ('refresh= 3; url= index.php');
return false;

} 
elseif (filter_var($first, FILTER_VALIDATE_INT) || filter_var($last, FILTER_VALIDATE_INT)) {
echo '<p class="error">You cannot enter a number as either the first or last name!</p>';
return false;
} 
elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo '<p class="error">Incorrect email address!</p>';
return false;
}
elseif (!($cap === '12')){
echo '<p class="error">Invalid captcha, try again!</p>';
return false;
}
else {
mail ($to, $sub, $body);
echo '<p class="success">Thank you for contacting us!</p>';
}
}
?>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
<p>Your first name: <span class="required">*</span></p>
<p><input type="text" name="first" size="40" placeholder="Ex: Paul"/></p>

<p>Your last name: <span class="required">*</span></p>
<p><input type="text" name="last" size="40" placeholder="Ex: Smith"/></p>

<p>Subject: <span class="required">*</span></p>
<p><input type="text" name="subject" size="40" placeholder="Ex: Contact"/></p>

<p>Your email address: <span class="required">*</span></p>
<p><input type="text" name="email" size="40" placeholder="Ex: example@xxx.com"/></p>

<p>Website:</p>
<p><input type="text" name="website" size="40" placeholder="Ex: http//:google.com"/></p>

<p>Where you have heard us?: <span class="required">*</span></p>
<p><select name="heard">
<option>Internet</option>
<option>Newspapers</option>
<option>Friends or relatives</option>
<option>Others</option>
</select></p>

<p>Your message: <span class="required">*</span></p>
<p><textarea cols="75" rows="20" name="message"></textarea></p>

<p>Are you human? Sum this please: 5 + 7 = ?: <span class="required">*</span></p></p>
<p><input type="text" name="captcha" size="10"/></p>

<p><input type="submit" name="submit" value="Send" class="button"/>
<input type="reset" value="Reset" class="button"/></p>
</form>

SECOND PROBLEM:If a user has made a mistake, he gets the error message so that he can correct! However, when a mistake in the form occurs, all the data the user has entered are disappeared! I want the data to keep appearing so that the user does not start over again to fill the form.

THIRD: When the erro message is displayed to notify the user that he made a mistake when submitting the form, the message is displaying on the top of the page. I want it to appear below each respective field. How to do that? In JQuery it is simple, but in PHP, I am confusing!

I've tried both of these methods, but neither are working. The if statement fails every time.

Code: [Select]
if(isset($_POST['submit'])){ Code: [Select]
if(isset($submit)){
This is the form:

Code: [Select]
          <form id="form1" name="form1" method="post" action="join.php">
            <label><span>
              <input name="email" type="text" class="keywords" id="textfield" maxlength="50" value="Join my mailing list..." onclick="make_blank();" />
              </span>
              <input name="submit" type="image" src="images/search.gif" class="button" onclick="return checkmail(this.form.email);"/>
            </label>
          </form>

Hi everyone, I wanted to some investigating before I label this as a bug, but from what I can see I'm not getting expected results. It appears as if mysqli_stmt_result_metadata does not return the proper object. It should be of mysqli_result type, but yet when I run mysqli_num_rows against it, I get 0, always. If I do a direct mysqli_query and take the resultset back, I can call mysqli_num_rows and it returns the proper value.

Example #1(doesn't work):

      if($this->statement = mysqli_prepare($this->databaseConnection, "SELECT 1 FROM DIGIUSERS WHERE UNAME = ?"))
      {
         mysqli_stmt_bind_param($this->statement, 's', $username);
         mysqli_stmt_execute($this->statement);
         $this->errorQuery();
         $result = mysqli_stmt_result_metadata($this->statement);
         //Ooops, the username is already taken! exit with status of -7
         if(mysql_num_rows($result) > 0) {
             mysqli_rollback($this->databaseConnection);
             exit("<STATUS>-7</STATUS></USER>");
         }
         mysqli_stmt_close($this->statement);
      }

Example #2 (works but i cant bind variables):
$result = mysqli_query($this->databaseConnection, "SELECT 1 FROM DIGIUSERS WHERE UNAME = $username");
         
         $this->errorQuery();
         
         //Ooops, the username is already taken! exit with status of -7
         if(mysqli_num_rows($result) > 0) {
             mysqli_rollback($this->databaseConnection);
             exit("<STATUS>-7</STATUS></USER>");
         }

I have variable binding working just fine elsewhere on the site so I know it's not that. The only thing I can think of is that mysqli_stmt_result_metadata is not returning the proper object. For now i will use #2 but, very begrudgingly....

What is the best way to force a user to input numeric value into a form, with the following condition:
Either the number is an integer (positive or negative or zero), or non integer but limited to the one digit behind the dot (e.g. 1.2 is valid, but 1.21 is not)?
I know I can test it in the server side, but I prefer it to be on the form side.

Can it be in the HTML level?