server side validation

Question

Hi I have created a reg.php. I need to include the server validation using php. I have written the code and dissabled the java script in my browser. But it is showing "you have successfully registered even if i dont give any field.this is my code

<?php
$hostname   = "xxxx";
$username   = "xxx";
$password   = "xxx";
$dbName     =  "xxx";
$conn    =  mysql_connect($hostname,$username,$password) or die(mysql_error());
mysql_select_db($dbName);
if(isset($_POST["submit"]))
{
$username=$_POST['usr'];
$address1=$_POST['addr1']; 
$address2=$_POST['addr2'];
$password=$_POST['pswd'];
$email=$_POST['email'];
$errormsg;
if($_POST['usr']=="")
 {
   $errormsg='enter the name S';
echo $errormsg;
 }
elseif(trim($address1)=="")
 {
   $errormsg="entre the address1 S";
  } 
elseif(trim($address2)=="")
 {
   $errormsg="entre the address2 S";
  } 
elseif(trim($password)=="")
 {
   $errormsg="entre the password S";
  } 
elseif(trim($email)=="")
{
   $errormessage="enter the email S";
}

mysql_query("INSERT INTO `xxx` ( `id` , `Name` , `Address1` , `Address2` , `password` , `email` )
VALUES (
'', '$username', '$address1', '$address2', '$password', '$email'
)")or die(mysql_error()); ;
echo "you have successfully registered ";
}
?>

<html>

<head>

<script type="text/javascript">

function fun()
  {
        valid=true;

        if(document.reg1.usr.value =="")
          {

              alert("fill the name");
               valid=false;
          }
       if(document.reg1.addr1.value =="")
          {

              alert("fill the address");
               valid=false;
          }
      if(document.reg1.addr2.value =="")
          {

              alert("fill the address2");
               valid=false;
          }
     if(document.reg1.pswd.value =="")
          {

              alert("fill the password");
               valid=false;
          }
     if(document.reg1.email.value =="")
          {

              alert("fill the email id");
               valid=false;
          }
     return valid;
   }



</script>
</head>
<body>
    <form name="reg1" action="try.php"  method="post">
     <table border="0" cellpadding="2" cellspacing="2" width="1000" align="centre">
     <tr>
     <th>Registration form</th></tr>

     <tr><TD align="left">username<TD/>
     <TD><input type="text" name= "usr"></TD></tr>
     <tr>

     <td align="left">address1<td/>
     <td><input type="text" name="addr1"></td>
     </tr>
     <td align="left" width="15%">address2<td/>
     <td><input type="text" name=addr2></td></tr>
     <tr>
     <td align="left">password<td/>
     <td><input type="password" name="pswd"></td>
     </tr>
     <tr>
     <td align="left">emailaddress<td/>
     <td><input type="text" name="email"></td>
     </tr>
     <tr>
     <tr><TD></TD>
     <td><input type="submit" name="submit" value="submit" onclick="return fun();"></td></tr>
     </table>
    </form>


</body>
</html>

can anyone help plz?????

Answer 1

You need to separate everything after the validation if ends to a different part of the script.

if (empty($errormsg)) 
{
    mysql_query("INSERT INTO `xxx` ( `id` , `Name` , `Address1` , `Address2` , `password` , `email` )
    VALUES (
    '', '$username', '$address1', '$address2', '$password', '$email'
    )")or die(mysql_error()); ;
    echo "you have successfully registered ";
}

Other tips:

• you should keep error messages in an array, and display them in a list
• you could use a different scripts for success message

Answer 2

You need to end the script if any oft the if conditions fail.

the way it is now will show an error, but continue to the query part.

you could put an else {} around the query part to solve this.

Answer 3

Your insert code runs regardless of if an error message is set. you can add

if (empty($errormessage)) {


mysql_query...


}

Answer 4

Well, you have to put your

mysql_query("INSERT INTO `xxx` ( `id` , `Name` , `Address1` , `Address2` , `password`     ,`email` )
VALUES (
'', '$username', '$address1', '$address2', '$password', '$email'
)")or die(mysql_error()); ;

in a else statement after the last elseif:

[...]
elseif(trim($email)=="")
{
   $errormessage="enter the email S";
}
else
{
    mysql_query("INSERT INTO `xxx` ( `id` , `Name` , `Address1` , `Address2` , `password` , `email` )
    VALUES (
    '', '$username', '$address1', '$address2', '$password', '$email'
    )")or die(mysql_error()); ;
    echo "you have successfully registered ";
}