Form validation not working (or not connecting to database?)

General PHP Help
#1

Hi all,

I hope you can help, I tested this on XAMPP and it worked a treat, really can’t see why it’s broken when putting it online (famous last words!).

At one stage when I tried searching for a number (that I know is in the database), it went to a blank page, HTTP error - something to do with couldn’t find the page or there was a programming error.

That’s not happening now, but no matter what I enter in the search input, it always (and only) outputs the following $format and $messages.

It seems to ignore if (strlen($search_term) <= 3) and/or automatically assumes all entered values meets this criteria.

if (strlen($search_term) <= 3) {
$format = ‘class=“error”’;
$messages = “Enter at least four numbers.”;
}

I am also unsure if it’s actually connecting to the database as well but haven’t seen an error message.

I have attached the full code if you’d be OK to check it out briefly? I’m almost convinced it’s a syntax issue, why would it work in XAMPP and not online?

My host’s details are (if relevant):

Software
PHP: Installed (Version 5.4.29)
Python: Installed (Version 2.6.6)
Perl: Installed (Version 5.10.1)
Apache: Installed (Version 2.2.15)
MySQL: Installed (Version 14.14)

search.txt (1.99 KB)

#2

Well, you code looks okay. If it works locally, then most likely you did not put the correct
userid and password into the connection string.

If you type in a number and you get an HTTP error, please post that error so we can see what it is.
You may have to tell your PHP to show all errors first as some may be suppressed.

Or, you may have to debug it one line at a time. The easy way to do this is add a “DIE” command
and keep moving it lower in the code showing the next step. Something like this for the line in question:
die($search_term);
This will display the search term as it appears after the scrubbing of it. Then, you will know if it actually
is what it is supposed to be.

#3

I’ve sorted it, just before “the rage” exploded out of me no matter what I tried!

I commented out the code to get back to basics, simply put, no value was being taken from the input with this:

$search_term = mysqli_real_escape_string(trim($_POST[“search_term”]));

The PHP documentation appears to require a reference to a database connection and then the input:

$search_term = mysqli_real_escape_string($con, $_POST[“search_term”]);

What if I just wanted to play around with taking a value and outputting in back to the user and not involve a database? Must I still refer to a database connection?

Anyway, managed to put the trim back in with this:

$search_term = mysqli_real_escape_string($con, trim($_POST[“search_term”]));

Hopefully anyone who has had this issue will now be happy with these answers. :slight_smile:

#4

LOL, well, yes and no… First, I assumed you were using a database as you showed the “mysqli”
command lines. I didn’t ask you the correct questions.

SO, No, you do NOT need a database for this.

Yes, you posted “mysqli” code. The lines that you use that has that word in it must be changed to
not do a MySQL function call. You can still use the mysqli_real_escape_strings but, they are called
something else when doing them directly.

But, let’s explain a little further. When someone types in characters into a form and it is posted to
a server, they can type in just about anything. So, using the mysqli_real_escape_strings, you are
removing slashes and making sure the user does not enter PHP code into the data which can damage
it. So, if you are not saving the data into a database that command does very little.

You could simply remove slashes using PHP functions or replace many other items that could be typed
in, but, again, if they are not being saved into a database or into anything that may be placed into a
database in the future, then, it is not needed.

Hope that explains it. So, when reading data from the posted page and not saving them into a database,
just use $variable_name=$_POST[‘form_field_name’]; There are lots of ways to validate them to make
sure they are valid using “preg_match” and REGEX functions to check for valid inputs. Normally for a
search form, if it is a number, you check it to make sure all of the characters typed in are numbers.

Does that help?

#5

I’m checking the value entered against a database to check if it matches or not, so figured I need to use the mysqli, but I see from what you’ve said that I only need to escape values that are being saved to the database (which these are not).

I am already using a regex so thank you very much for explaining this for me and in future I’ll make sure I’m doing it right.

#6

Glad I could help. One more thing. A good hacker can enter data into a form field that is Javascript
and could cause you problems. Therefore, you want to remove items such as braces and the such that
are used inside of Javascript or Jquery. Like " [ ] { } " etc…

Hope that helps. Let us know if you feel this is a solved or not. We can help further if you have
more questions… Good luck…

Sponsor our Newsletter | Privacy Policy | Terms of Service