PHP Form Validation and POST variables

Question

I'm new to PHP and I'm trying some form validation. I have the following code:

I submit a form and submit the data to an SQL statement if it passes validation. If the form is valid, it redirects to an external success page.

What I can't do is get the original post variables onto the success page. How could I do this please? My code is below:

PHP:

   <body>
<?php

$firstnameErr = $emailErr = $lastnameErr = $gradeErr = $roleErr = "";
$firstname = $email = $lastname = $grade = $role = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    if (empty($_POST["firstname"])) {
        $firstnameErr = "First name is required";
    } else {
        $firstname = user_input($_POST["firstname"]);
    }

    if (empty($_POST["lastname"])) {
        $lastnameErr = "Last mame is required";
    } else {
        $lastname = user_input($_POST["lastname"]);
    }

    if (empty($_POST["email"])) {
        $emailErr = "Email is required";
    } else {
        $email = user_input($_POST["email"]);
    }

    if (empty($_POST["grade"])) {
        $gradeErr = "Grade is required";
    } else {
        $grade = user_input($_POST["grade"]);
    }


    if (empty($_POST["role"])) {
        $roleErr = "Role is required";
    } else {
        $role = user_input($_POST["role"]);
    }

    if($firstnameErr == '' && $emailErr == '' && $lastnameErr == '' && $gradeErr == '' && $roleErr == ''){

        $stmt = $conn->prepare("INSERT INTO `Tom`.`staff_details` (`first_name`, `surname`, `role`, `grade`,`email`) VALUES ('$firstname', '$lastname','$role', '$grade','$email');");
        $stmt->execute();
        header('Location: staff_added.php');
        exit();
    };

}

function user_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

?>

HTML:

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="post">
    <fieldset>
        <p><span class="error">* required field</span></p>
        <label>First name:</label><input type="text" name="firstname" />
        <span class="error">* <?php echo $firstnameErr;?></span><br>
        <label>Last name:</label><input type="text" name="lastname" />
        <span class="error">* <?php echo $lastnameErr;?></span><br>
        <label>Role:</label><input type="text" name="role" />
        <span class="error">* <?php echo $roleErr;?></span><br>
        <label>Grade:</label><input type="text" name="grade" />
        <span class="error">* <?php echo $gradeErr;?></span><br>
        <label>Email:</label><input type="text" name="email" />
        <span class="error">* <?php echo $emailErr;?></span><br><br>
        <input class="standard_submit" type="submit" value="Save" id="submit_search_button">
    </fieldset>

</form>

I would like those variables to move across to the staff_added.php page so that I can print them back to the user. I've done some reading over this but as far, it's not making much sense.

Any help would be appreciated.

Thank you

You need to either store some of the info in a session, or store the users ID and load the data from your db on the success page. - There are multiple ways of doing it, these are just a couple of them. — Epodax
– Epodax, Commented Jun 19, 2017 at 9:21
You are entirely missing the point of prepared statements by directly embedding variables in the sql statement rather than using placeholders to which you would bind the variables — Professor Abronsius
– Professor Abronsius, Commented Jun 19, 2017 at 9:23
I see those user_input() functions a lot of places, and like it is here, it's somewhat misunderstood and misused. — Qirel
– Qirel, Commented Jun 19, 2017 at 9:25
I've seen an online example within W3schools to get me started but the explanation there is pretty vague. The prepared statements will come next when I start refactoring with more understanding, I'm just going one step at a time. — Tom
– Tom, Commented Jun 19, 2017 at 9:27

Frank · Accepted Answer · 2017-06-19 10:07:31Z

1

You can store the variables in a SESSION object and then will be available from everywhere :

<?php
session_start();
//other code...
$_SESSION["role"] = $role; 
//other code...
?>

answered Jun 19, 2017 at 10:07

Frank

8812 gold badges9 silver badges18 bronze badges

Sign up to request clarification or add additional context in comments.

3 Comments

Tom Over a year ago

Would I need to declare the end of the session in the confirmation page?

Frank Over a year ago

You should use session_destroy() , in your case i think you shouldn't call it in your page , read here

Professor Abronsius Over a year ago

You could use $_SESSION[ 'formdata' ]=$_POST and then access the elements using $_SESSION[ 'formdata' ]['role'] etc rather than individual session variables

Professor Abronsius · Accepted Answer · 2017-06-19 09:30:56Z

1

Using prepared statements you should be looking at an approach like this perhaps rather than directly embedding variables in the sql.

<?php
    function user_input($data) {
        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
        return $data;
    }
    $firstname = $email = $lastname = $grade = $role = false;

    if( $_SERVER["REQUEST_METHOD"] == "POST" ) {
        $errors=array();


        if( empty($_POST["firstname"])) $errors[] = "First name is required";
        else $firstname = user_input( $_POST["firstname"] );


        if( empty($_POST["lastname"])) $errors[] = "Last mame is required";
        else $lastname = user_input($_POST["lastname"]);


        if( empty($_POST["email"])) $errors[] = "Email is required";
        else $email = user_input($_POST["email"]);


        if( empty($_POST["grade"]) ) $errors[] = "Grade is required";
        else $grade = user_input($_POST["grade"]);



        if( empty($_POST["role"])) $errors[] = "Role is required";
        else $role = user_input( $_POST["role"] );


        if( empty( $errors ) ){

            $stmt = $conn->prepare("INSERT INTO `Tom`.`staff_details` (`first_name`, `surname`, `role`, `grade`,`email`) VALUES (?,?,?,?,?);");
            if( $stmt ){
                $stmt->bind_param('sssss',$firstname,$lastname,$role,$grade,$email);
                $stmt->execute();

                exit( header( 'Location: staff_added.php' ) );
            } else { echo 'statement failed'; }


        } else {
            foreach( $errors as $error )echo $error . '<br />';
        }

    }
?>

answered Jun 19, 2017 at 9:30

Professor Abronsius

33.9k5 gold badges36 silver badges49 bronze badges

3 Comments

Tom Over a year ago

I'm getting an error when applying this code. My connection uses PDO and it tells me that bind_params is an undefined method for PDO

Tom Over a year ago

I found bindParam which worked. Thank for the help with prepared statements

Professor Abronsius Over a year ago

Sorry - my mistake ~ I thought you were using mysqli rather than PDO

Collectives™ on Stack Overflow

PHP Form Validation and POST variables

2 Answers 2

3 Comments

3 Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

3 Comments

3 Comments

Your Answer

Sign up or log in

Post as a guest

Related