Search code examples
phphtmlauthenticationpreg-match

php preg_match not showing output

I am currently making a simple login page. I am using preg_match to check if a username contains only letters and whitespace. If it helps, I am basing it off w3schools example: https://www.w3schools.com/php/php_form_url_email.asp

PHP

<?php
$username = $password = "";
$usernameErr = $passwordErr = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    if (empty($_POST["username"])) {
        $usernameErr = "A Username Is Required!";
    } elseif (!preg_match("/^[a-zA-Z ]*$/",$username) === 0) {
        $usernameErr = "Letters and White Space Only!";
    } else {
        $username = input(isset($_POST["username"]));
    }           

    if (empty($_POST["password"])) {
        $passwordErr = "A Password Is Required!";
    }
    else {
        $password = input(isset($_POST["password"]));
    }
}

function input($data) {
      $data = trim($data);
      $data = stripslashes($data);
      $data = htmlspecialchars($data);
}
?>

HTML 

<!DOCTYPE HTML>  
<html>
<head>
<style>
    .error {color: #FF0000;}
</style>
</head>
<body>


<h2>PHP Form Validation Example</h2>
<p><span class="error">* required field.</span></p>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">  
Username: <input type="text" name="username">
<span class="error">* <?php echo $usernameErr;?></span>
<br><br>
Password: <input type="text" name="password">
<span class="error">* <?php echo $passwordErr;?></span>
<br><br>
<input type="submit" name="submit" value="Submit">

</form>
</body>
</html>
Solution

  • The value of $username is not changed between

    $username = $password = "";

    and

     } elseif (!preg_match("/^[a-zA-Z ]*$/",$username) === 0) {

    I think you meant to write

     } elseif (!preg_match("/^[a-zA-Z ]*$/",$_POST['username']) === 0) {

    Further, attempting to do an explicit integer type match on the return value for preg_match() is a bit silly. Particuarly if you perform a boolean negate on the value. This would be better:

    } elseif (!preg_match("/^[a-zA-Z ]+$/",trim($_POST['username']))) {

    Then just when we though it couldn't get any worse...

    $username = input(isset($_POST["username"]));

    Are you aware of what isset() does? It returns a boolean which you are processing with your input function. But since your function doesn't return a value you are setting $username to null.

    Consider

    $username = input($_POST["username"]);
...
function input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

    There's a lot more wrong with the code, but that is enough clues.

    I would strongly recommend that you when experimenting with code you put

    error_reporting(E_ALL | E_STRICT);

    at the top of your code and clean out all the warnings PHP will tell you about (the "| E_STRICT" is redundant if your PHP install is up to date).