Still very new to PHP and enjoy every minute of it. Okay, I am trying to do a form validation for my database. I am trying to get the basics down of PHP by doing it my self. What I have done is very simple I take $_Post store it in a variable and check to see if it’s empty. That check works perfectly, the problem that I am having is how to get it to send the data to another php form after the validation using the form action. I found a function header to send the page to the user to another page, but I am unfamiliar with sending the data to the other page. This is my first attempt at a form validation, and I think that is an important aspect to becoming a web developer. Please look at my code and give me suggestions.

[php]
if(isset($_POST[“Japanese”])){
$Japanese = $_POST[“Japanese”];
if(empty($Japanese)){
echo ‘Japanese Field Box is empty, Please try again’;
}
else{
// right here is where I would like to send the data to my index.php where is looks up the Japanese word and translates it to English.
echo ‘it worked’;
$data = $_POST[“Japanese”];
header(“Location:index.php?data=$data”);

}

}

?>

Please Click this to look up your Japanese Word

[/php]

Is it at all possible, to some how have another form action send the data after it passes validation. I am unsure on how to achieve this. I hope this is clear.

It should work, rewritten it a little simpler. You assigned the post variable to two different variables, which you didn’t really have to.

[php]if (empty($_POST[‘Japanese’])) {
echo ‘Japanese Field Box is empty, Please try again’;
} else {
// right here is where I would like to send the data to my index.php where is looks up the Japanese word and translates it to English.
echo ‘it worked’;
header(‘Location:index.php?data=’ . $_POST[‘Japanese’]);
}[/php]

To catch this in index.php you have to do
[php]$searchWord = $_GET[‘data’];[/php]

Thank you again for helping me.

Now, am I exposing myself to an SQL injection like this? Sorry for the newbie question.

That depends on how you handle sql (you havent posted any relevant code)

This is my first PHP program that I ever written so I am new to the concept of SQL Injection. I see the answer written in the URL, so I do believe I am exposing myself to vicious world of hackers. I must project my database from them.

[php]
function myTest(){

$searchWord = $_GET[‘data’];

try{

$conn = new PDO(‘mysql:host=Jamal-PC;dbname=japanesewords’,$username,$password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sth=$conn->query(‘SELECT EnglishWord FROM Japanesedefinition WHERE Japaneseword =’ . $conn->quote($searchWord));
$result = $sth->fetch(PDO::FETCH_OBJ);
$result ->EnglishWord;
$japanese = $result ->EnglishWord;
print_r($japanese);
}catch(PDOException $e){
echo 'ERROR: ’ . $e->getMessage();
}
}

?>

Here is the answer

the Definition of the word <?php echo$_GET['data']; ?> is <?php myTest(); ?>

[/php]

I also thought about using $_Session to avoid the SQL injection.

This is in my test21.php file.
[php]
$_SESSION[‘word’] = $_POST[‘Japanese’];
[/php]

I then could possibly send this over to my index.php file and avoid the nasty thing of SQL injection. The problem I am having now is that it sees the variable as undefined when I try to access it on my index.php file.

[php]

[/php]

Will this help to avoid the SQL injection or am I just really off here. Plus it doesn’t work.

No it wont, you are just assigning a value to different variables, it wont do anything against sql injection.

To get rid of SQLi you should never include any variables in your sql queries, like you’ve done here:
[php]$sth=$conn->query(‘SELECT EnglishWord FROM Japanesedefinition WHERE Japaneseword =’ . $conn->quote($searchWord));[/php]

Read up on the “Use PDO” link in my signature, it explains how to do this properly (hint: parameterized queries / Placeholders)

[php]

header(‘Location:index.php?data=’ . $_POST[‘Japanese’]);

[/php]

Does this explicitly send my data over the URL? After reading that wondeful like on PDO I can add it to a prepared statement, but I still would be sending the request over my URL because of the header method. Or am I totally off base here?

You will be sending it over in the url, yes. It will look something like this:

http://yoursite.com/index.php?data=sumimasen

You could ofcourse use mod rewrite (if on apache) and rewrite this url to something like

http://yoursite.com/translate/sumimasen

if you want the post to go to the other form then I would suggest posting directly to that file, it’s just easier.

wow, you know a bit of Japanese awesome.

Thank you for all your help.

Can you tell me how long you been at this coding for PHP? See, i want to get good at PHP and Javascript and hopefully one day do it as a living.

It just seems very daunting at times. I just ordered a few books on PHP and looking at tutorials. I thought just making a program would be great, but I think I might have to take step back. Thoughts?

I would love to know more, sadly I still haven’t found the inner strength to really get started. Finished a couple of books (counting, hiragana, katakana, really simple kanji), but it just feel like a monumental task.

I first started playing around with programming 14 years ago (c++, html), not sure how much time I’ve spent with php/js, but it is definitely hundreds of hours. Took all the computer classes in high school, etc. Been working professionally as a web developer / security consultant the last three years. Before that it was on hobby basis only.

Just play around with it, we all have our favorite way of learning, mine is definitely “learning by doing”, you just gotta figure out what works for you

Hey Jim,

After work I was working on your suggestions on how to prevent SQL Injection and I think I understand it. Pretty much SQL injection can hijack your SQL query and send instructions to your database that could be malicious or nefarious to your database. PDO provides a few methods to help protect you from these type of attacks. I think I might of implemented it correctly. Can you look at my code and tell me if I understood the link you provided correctly?

[php]
$searchWord = $_GET[‘data’];

try{

$conn = new PDO(‘mysql:host=Jamal-PC;dbname=japanesewords’,$username,$password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sth=$conn->prepare(“SELECT EnglishWord FROM Japanesedefinition WHERE Japaneseword =:Japaneseword”);
//this part of code is used in way that tells the database it’s a string and not to be interrupted as code correct?
$sth->execute(array(":Japaneseword"=>$searchWord));

[/php]

Again, thanks so much, and if you ever need any suggestions on learning Japanese I can help. My wife is Japanese so fire away with some questions .

Yeah SQL injection may allow an attacker to:

[ul][li]bypass your authentication/logins[/li]
[li]may be able to write exploit code to the file system (if the db user has access to write sql dumps)[/li]
[li]read your entire database[/li]
[li]write to your database[/li]
[li]delete your data[/li][/ul]

This looks good! As long as you only insert placeholders in the query (never any $variables) then SQL injection can not happen. The array of data sent into the execute function is kept separate from the SQL query and will not be considered as part of the query.

Just fyi this is also perfectly legal, and might be simpler if you have a large number of variables.
[php] $sth=$conn->prepare(“SELECT EnglishWord FROM Japanesedefinition WHERE Japaneseword = ?”);
$sth->execute(array($searchWord));[/php]

I think I only lack the motivation to really get started / spending the needed time on it. But thank you for the offer