inserting data into mysql database using php

Question

I have a php order form named (order.php) and when the user clicks the (submit button \"Next Step\") it takes him to another page called (confirm-order.php)

The (con

Answer 1

There are two specific things I can contribute.

First, isset tests for null... which is different than empty. If you have a form field that is submitted empty, then set a local variable to that posted value, then test it with isset; isset will return true because the value exists which is different than the variable not having been registered in the page load at all.

Second... ANYTHING can post to your form (think evil autonomous Korean hacker bots). Also, there are many ways a form can get submitted without having activated the submit button itself so there is no guarantee you will even see a submit key in your $_POST vars. What you need to define in your processing script is a "default action". What I mean by that is a very basic and SAFE behavior (like redirecting to a 'something is wrong' page) that kicks off by default such that the only way around it is to submit a correct form with all anticipated values correctly set.

If you do this, you can ignore the value of the submit button itself and instead focus on the contents of the POST. Did I receive everything I expected to receive? Was it all in the correct format? Was the user authenticated correctly? Only after all these questions have been tested to your satisfaction would you switch from the default behavior to a form processing behavior in which the posted data can be inserted into your database.

Example using your 3 page structure: reference: filter vars

Page 1:

<form action=./page2 method=POST>
<input type=text value=1234 name=numericValue />
<input type=text value="dummytext" name=stringValue />
<input type=submit value=submit name=submit />
</form>

Page 2:

<?php
$args = array('numericValue' => FILTER_VALIDATE_INT
             ,'stringValue' => FILTER_SANITIZE_STRING);

$clean_data = filter_input_array(INPUT_POST,$args);

if (is_array($clean_data))
{
  $_SESSION["saved_clean_data"] = $clean_data;
}
else 
{
  Header(<something wrong page>);
  die();
}
?>
<form action=./page3 method=POST>
<input type=submit name=submit value=No />
<input type=submit name=submit value=Yes />
</form>

Page 3:

<?php
if ($_POST["submit"] === "Yes")
{
   $cleanNum = $_SESSION["saved_clean_data"]["numericValue"];
   $cleanStr = $_SESSION["saved_clean_data"]["stringValue"];
   // DB insert Query, use advice from michi about PDO
   // parameterize your queries to help prevent sql injection
}
else
{
  Header(<somewhere for declined submits>);
  die();
}
?>