Associative array for form sanitising/checking for empty values

Question

I have managed to successfully set-up my own PHP/MySQL login system but would like to refine the registration process. Basically, I want all values submitted to be checked for empty values (and return an error if true) but also I want to have them sanitised at some point too. My code is below, just for the registration process - I've omitted everything else but this should be all anyone needs reference to.

<?php session_start();
include "connect.php";

$reg = array(
"regEmail" => filter_var(($_POST["email"]), FILTER_SANITIZE_EMAIL),
"regForename" => filter_var(($_POST["forename"]), FILTER_SANITIZE_SPECIAL_CHARS),
"regSurname" => filter_var(($_POST["surname"]), FILTER_SANITIZE_SPECIAL_CHARS),
"regPassword" => filter_var(($_POST["password"]), FILTER_SANITIZE_SPECIAL_CHARS),
);

foreach($reg as $value) {
    if (empty($value)) {
        header("location: error.php");
    }
    else {
        $regUser = "INSERT INTO users (email,password,forename,surname) VALUES ('$reg['regEmail'], $reg['regPassword'], $reg['regForename'], $reg['surename']')";
        if (isset($_POST["submit"])) {
            if (mysqli_query($MySQL,$regUser)) {
                header("location: registration-confirmation.php");
            }
            else {
                header("location: error.php");
            }
        };
        $MySQL->close;
    };
};
?>

Can anyone assist with this? I can use some simple if/else conditions for each piece of form data but this seems a bit cumbersome and not very efficient.

I fully expect to be told that my code is a disaster but what's more important to me as a beginner is that I'm thinking in the right logical mind-set.

I am a beginner so just trying to learn as much as possible!

Thanks for looking.

Answer 1

Personally, I do just what you say. I have an if statement for each field, and add to an $errors array if there are any errors. If there are any errors, display them to the user.

        (!is_numeric($adjustmentInputs[$i]['StartYear']) ? $errors['adjustmentInputs']="Start Year must be a numeric value. Please return to the input page and input only numbers and decimal points." : '');

Answer 2

$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');

$data = array(
    'email'    => $_POST["email"],
    'forename' => $_POST["forename"],
    'surname'  => $_POST["surname"],
    'password' => $_POST["password"],
);

foreach ($data as $key => $value) {
    if (empty($value)) {
        // Creates an array of the missing values so you can let the user know which
        // fields they have missed out
        $errors[] = $key;
    }

    if (isset($errors) && !empty($errors)) {
        return 'You have missed the following fields ' . implode(',', $errors);
    }
}

$stmt = $db->prepare("
    INSERT INTO users (email, password, forename, surname)
    VALUES (:email, :password, :forename, :surname)"
);

$stmt->bindValue(':email', $data['email'], PDO::PARAM_STR);
$stmt->bindValue(':password', $data['forename'], PDO::PARAM_STR);
$stmt->bindValue(':forename', $data['surname'], PDO::PARAM_STR);
$stmt->bindValue(':surname', $data['password'], PDO::PARAM_STR);

if (true === $stmt->execute()) {
    header("location: registration-confirmation.php");
} else {
    header("location: error.php");
}

Something like this would probably work (I haven't tested it). You really need to look at hashing your passwords, saving them as plain-text is really not a good idea.

Also you might want to look at better error handling. It's easier to debug if you know why a query failed rather than redirecting to a generic error page.