php form and validation - form values being returned as empty

Question

I hope someone can shed some light on this issue. I have created a registration form that submits to a second page for validation. there are various checks to catch errors and unwanted user input and is failing on checking for empty fields.. even if all the fields have data in them, it is still being returned as empty

here is my form - note it does include a hidden field to which it was suggested to use a /> instead of the usual > tag - either way makes no difference

<form id="registersocial" class="SRF" name="registersocial" action="php.includes/rasocial.inc.php" method="POST">

    <div id="formheaders"><strong>Personal Details</strong></div>
    <br/>
    <fieldset>
        <lable><strong>First Name</strong><br/>
                <input type="text" name="firstname" id="firstname" class="SRF" onKeyup="restrict('firstname')" placeholder="First Name" >
                <span id="Errmsg-first"></span>
            </lable>
            <br/>
            <lable><strong>Last Name</strong><br/>
                <input type="text" name="lastname" id="lastname" class="SRF" onKeyup="restrict('lastname')" placeholder="Last Name" >
                <span id="Errmsg-last"></span>
            </lable>
            <br/>
        </fieldset>
        <fieldset>
            <lable><strong>Date of Birth</strong><br/>
                <select name="birthmonth" id="birthmonth" class="SRF">
                    <?php require("php.includes/month.inc.php"); ?>
                </select> 
                <span id="Errmsg-mob"></span>

                <input type="text" name="birthday" id="birthday" class="SRF" maxlength="2" placeholder="Day">
                <span id="Errmsg-dob"></span>

                <input type="text" name="birthyear" id="birthyear" class="SRF" maxlength="4" placeholder="Year">
                <span id="Errmsg-yob"></span>
            </lable>
            <br/>
        </fieldset>
        <fieldset>
            <lable><strong>Location</strong><br/>
                <select name="country" id="country">
                    <?php require("php.includes/countrylist.php"); ?>
                </select>
                <span id="Errmsg-country"></span>
            </lable>
            <br/>
    </fieldset>

    <hr class="SRF">

    <div id="formheaders"><strong >Account Information</strong></div>
    <br/>
    <fieldset>

                <input type="hidden" name="accounttype" id="accounttype" class="SRF" value="Social"/>

            <lable><strong>Create a Username</strong><br/>
                <input type="text" name="username" id="username" class="SRF" onKeyup="restrict('username')" onblur="checkusername()" placeholder="Username" >
                <span id="Errmsg-username"></span>
            </lable>
            <br/>
            <lable><strong>Your Current Email</strong><br/>
                <input type="email" name="email" id="email" class="SRF" onKeyup="restrict('email')" placeholder="Your Email" >
                <span id="Errmsg-email"></span>
            </lable>
            <br/>
            <lable><strong>Create a Password</strong><br/>
                <input type="password" name="pwd" id="pwd" class="SRF" placeholder="Password" >
                <span id="Errmsg-password"></span>
            </lable>
            <br/>
            <br/>
            <input type="submit" id="submit" name="submit" value="submit">

        </fieldset>
        <br/>
        <span id="status"></span>
        <br/>

</form>

below is the file that gets the posted data and runs through validation file name is rasocial.inc.php - again my issue is that upon completing the form, I am getting a empty error in the url - I am sure it is simple but cannot see it for the life of me

<?php
if(isset($_POST['submit']) && !empty($_POST['submit'])) {
include_once("ctb.inc.php");
$fn = mysqli_real_escape_string($pdo, $_POST['firstname']);
$ln = mysqli_real_escape_string($pdo, $_POST['lastname']);
$bm = mysqli_real_escape_string($pdo, $_POST['birthmonth']);
$bd = mysqli_real_escape_string($pdo, $_POST['birthday']);
$by = mysqli_real_escape_string($pdo, $_POST['birthyear']);
$co = mysqli_real_escape_string($pdo, $_POST['country']);
$at = mysqli_real_escape_string($pdo, $_POST['accounttype']);
$un = mysqli_real_escape_string($pdo, $_POST['username']);
$em = mysqli_real_escape_string($pdo, $_POST['email']);
$pwd = mysqli_real_escape_string($pdo, $_POST['pwd']);
var_dump($fn, $ln, $bm, $bd, $by, $co, $at, $un, $em, $pwd);
//Error Handlers
//Check for empty fields
if (empty($fn) || empty($ln) || empty($bm) || empty($bd) || empty($by) || empty($co) || empty($at) || empty($un) || empty($em) || empty($pwd)) {
    header("Location: ../registersocial.php?registersocial=empty");
    exit();
} else {
    //Check firstname and lastname for valid chars
    if (!preg_match("/^[a-zA-Z]*$/", $fn) || !preg_match("/^[a-zA-Z]*$/", $ln)) {
        header("Location: ../registersocial.php?registersocial=invalidcharacters");
        exit();
    } else {
        //Check birth month has been selected
        if ($_POST['birthmonth'] == '0') {
                header("Location: ../registersocial.php?registersocial=birthmonth");
                exit();
            } else {
            //Check birth day is numbers only
            if (!preg_match("/^[0-9]*$/", $bd)) {
                        header("Location: ../registersocial.php?registersocial=birthday");
                        exit();
            } else {
                //Check the birth day length is 2 characters
                if (strlen($bd) != 2 ) {
                                header("Location: ../registersocial.php?registersocial=birthdaylength");
                                exit();
                } else {
                    //Check birth year is numbers only
                    if (!preg_match("/^[0-9]*$/", $by)) {
                                        header("Location: ../registersocial.php?registersocial=birthyear");
                                        exit();
                    } else {
                        //Check birth year is 4 characters
                        if (strlen($by) != 4 ) {
                                                header("Location: ../registersocial.php?registersocial=birthyearlength");
                                                exit();
                        } else {
                            //Check country has been selected
                            if ($_POST['country'] == '0') {
                                                    header("Location: ../registersocial.php?registersocial=country");
                                                    exit();
                            } else {
                                //Check if accounttype has been modified
                                if (!preg_match("/^[a-zA-Z]*$/", $at) || $_POST['accounttype'] != 'Social') {
                                    header("Location: ../registersocial.php?registersocial=accounttype");
                                    exit();
                                } else {
                                    //Check username isnt taken
                                    if (!preg_match("/^[a-zA-Z0-9]*$", $un)) {
                                        header("Location: ../registersocial.php?registersocial=invalidusername");
                                        exit();
                                    } else {
                                        //Check username is not taken in db
                                        $stmt = $pdo->prepare('SELECT * FROM sh_userdata WHERE username =?');
                                        $stmt->execute($un);
                                        $usernamecheck = $stmt->fetch();
                                        if ($usernamecheck > 0 ) {
                                            header("Location: ../registersocial.php?registersocial=usernametaken");
                                            exit();
                                        } else {
                                            //Check email is valid
                                            if (!filter_var($em, FILTER_VALIDATE_EMAIL) ) {
                                                header("Location: ../registersocial.php?registersocial=invalidemail");
                                                exit();
                                            } else {
                                                //Check if email exists in db
                                                $stmt = $pdo->prepare('SELECT * FROM sh_userdata WHERE email =?');
                                                $stmt->execute($em);
                                                $emailcheck = $stmt->fetch();
                                                if ($emailcheck > 0 ) {
                                                    header("Location: ../registersocial.php?registersocial=emailtaken");
                                                    exit();
                                                    //add dob fields to make date of birth
                                                    $dob = new DateTime($by.'-'.$bm.'-'.$bd);
                                                    $dob->format('Y-m-d');
                                                    //hash password
                                                    $hashedpwd = password_hash($pwd, PASSWORD_DEFAULT);
                                                    //insert user into db
                                                    $stmt = $pdo->prepare("INSERT INTO sh_userdata (username, email, password, accounttype, signupdate, lastlogindate) VALUES (?,?,?,?,NOW(),NOW())");
                                                    $stmt->execute(array("$un","$em","$hashedpwd","$at"));
                                                    header("Location: ../registersocial.php?registersocial=sucess");
                                                    exit();
                                                } 
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}   
} else {
header("Location: ../registersocial.php?registersocial=nopost");
exit();
}

any help or suggestions would be really appreciated

What is the output of this line: `var_dump($fn, $ln, $bm, $bd, $by, $co, $at, $un, $em, $pwd);`? — Felippe Duarte, Jan 19 '18 at 19:03
Wow. You don't need so many nested statements, just check & exit at the same level without extra `else` which is redundant. — user1597430, Jan 19 '18 at 19:04
I get no output at all, its like the form was never filled in — mike, Jan 19 '18 at 19:04
Your variables might contain whitespace of some sort. Try `empty(trim($variable))` — Jay Blanchard, Jan 19 '18 at 19:06
Why are you calling `mysqli_real_escape_string()` if you're using PDO? — Barmar, Jan 19 '18 at 19:06
`$pdo` why is that called "pdo" here? are you connecting with that api? — Funk Forty Niner, Jan 19 '18 at 19:06
I was using mysqli before but was told prepared statements were the way to go, although I do find pdo a little limiting. would you suggest taking out the real_escape_string or submit it for PDO::quote() function? — mike, Jan 19 '18 at 19:11
btw, the word is "label" and not "lable" for your tags, so those won't work. It's not like a "table". — Funk Forty Niner, Jan 19 '18 at 19:12
you didn't answer the question: which api are you using to connect with, mysqli or pdo? — Funk Forty Niner, Jan 19 '18 at 19:13
@FunkFortyNiner lol I actually just blushed ... label tags fixed and using pdo to connect — mike, Jan 19 '18 at 19:16
solved! thanks to @barmar and FunkFortyNiner for pointing out the obvious — mike, Jan 19 '18 at 20:14
@mike Use prepared statements, don't substitute strings. Both mysqli and PDO have them, although they're easier to use in PDO. — Barmar, Jan 19 '18 at 20:31

php form and validation - form values being returned as empty

0 Answers0