A little trouble with OR operators with empty()

jimbopp · June 10, 2020, 5:19pm

Hello can some one help me with where i’m going wrong here… I’m building a cms as a hobbie/project and this is a common problem for me when working with forms. I have started to implement checking for errors first in my conditions but some conditions stopt working.

Where i have 3 inputs here i’m checking if any of the fields are empty before moving on down the script? Why is it not letting me check if any are not empty?

Also other functions like intval() have stopt working.

Any help is great please. Thank you.

if ($pageSubPage === 'secu') {

            if (isset($_POST['edit_secuSettings-submit'])) {

                $edit_loginfaillimit = filter_input(INPUT_POST, 'edit_loginfaillimit', FILTER_SANITIZE_STRING);

                $edit_loginfailtime = filter_input(INPUT_POST, 'edit_loginfailtime', FILTER_SANITIZE_STRING);

                $edit_allowregistration = filter_input(INPUT_POST, 'edit_allowregistration', FILTER_SANITIZE_STRING);

                

                if (!empty($edit_loginfaillimit) || !empty($edit_loginfailtime) || !empty($edit_allowregistration)) {

                    $warning = 'you must change at least one of the fields to submit an update!';

                } else if ($getUserPower < 9) {

                    $error = 'Access Denied! - Security';

                    header('Refresh: 2; '.$site_url.'?page=Admin');

                } else if (!intval($edit_loginfaillimit) xor !intval($edit_loginfailtime) xor !intval($edit_allowregistration)) {

                    $error = 'Post Error!';

                    header('Refresh: 2; '.$site_url.'?page=Admin&sp=secu');

                } else if (!$siteAdmin->updateSecuritySettings($edit_loginfaillimit, $edit_loginfailtime, $edit_allowregistration)) {

                    $error = 'SQL Error - The database was not updated!';

                    header('Refresh: 2; '.$site_url.'?page=Admin');                         

                } else {

                    $success = 'The database has been updated!';

                    header('Refresh: 2; '.$site_url.'?page=Admin&sp=secu');

                }

            }

        }

jimbopp · June 10, 2020, 6:00pm

I have just realised that i am checking “if value is not empty then do this” or and same for others. My question is how do i set that line to check at least 1 value has been put through… I understand this only happens when i try and check for more than 2 empty fields…

jimbopp · June 14, 2020, 9:23pm

Hi can some one confirm that i have this logic right now…

if ($pageSubPage === 'secu') {

            if (isset($_POST['edit_secuSettings-submit'])) {

                if ($getUserPower < 9) {

                    $error = 'Access Denied! - Security';

                    header('Refresh: 2; '.$site_url.'?page=Admin');

                } else if (isset($_POST['edit_loginfaillimit']) && isset($_POST['edit_loginfailtime']) && isset($_POST['edit_allowregistration'])) {

                    $edit_loginfaillimit = filter_input(INPUT_POST, 'edit_loginfaillimit', FILTER_SANITIZE_STRING);

                    $edit_loginfailtime = filter_input(INPUT_POST, 'edit_loginfailtime', FILTER_SANITIZE_STRING);

                    $edit_allowregistration = filter_input(INPUT_POST, 'edit_allowregistration', FILTER_SANITIZE_NUMBER_INT);

                    if (is_numeric($edit_loginfaillimit) && $siteAdmin->getSecuritySettings()['loginfaillimit'] !== $edit_loginfaillimit || 

                        is_numeric($edit_loginfailtime) && $siteAdmin->getSecuritySettings()['loginfailtime'] !== $edit_loginfailtime || 

                        is_numeric($edit_allowregistration) && $siteAdmin->getSecuritySettings()['allowregistration'] !== $edit_allowregistration) {

                        if (!$siteAdmin->updateSecuritySettings($edit_loginfaillimit, 

                                                                $edit_loginfailtime, 

                                                                $edit_allowregistration)) {

                            $error = 'SQL Error - The database was not updated!';

                            header('Refresh: 2; '.$site_url.'?page=Admin');                         

                        } else {

                            $success = 'The database has been updated!';

                            header('Refresh: 2; '.$site_url.'?page=Admin&sp=secu');

                        }

                    } else {

                        $warning = 'you must change at least one of the fields to submit an update!';

                        header('Refresh: 2; '.$site_url.'?page=Admin&sp=secu');

                    }

                }

            }

        }

It is working now too.
Thanks.

phdr · June 15, 2020, 8:27am

There’s too much code, unknown variables, variables that are set but not used, redirects, unknown function calls, … in your post to really answer that.

Here’s generally what post method form processing code should do -

Detect that a post method form was submitted. Do not test if the submit button is set since there are cases where it won’t be set when the form has been submitted.
If there is more than one possible form processing code on a page, add logic to detect either a unique always-set field name or value in a specific field to identify which form processing code to run.
Apply any user permission check, either separately or as part of item #1 or #2.
Trim all input data at once, keeping the input data as an array, rather than writing out discrete variables for each input, then operate on the elements of the array in the rest of the code.
Validate each input separately, storing unique and helpful error messages in an array, using the field name as the array index. This array is also an error flag. If the array is empty, there are no errors. You can then test/display the content of this array at the appropriate location in the html document.
If there are no validation errors, use the submitted form data.
After successful processing the the form data, with no errors, redirect to the exact same url of the page to cause a get request. If you want to display a one-time success message, store it in a session variable, then test/display/clear that session variable at the appropriate location in the html document. To navigate to other pages, provide navigation links on the page.
Given the redirects in the current code, it’s likely the form is on a separate page. Put the form on the same page as the form processing code. You can then re-populate the form field values, upon an error, with the submitted data so that the user doesn’t need to keep re-entering the same values over and over.
Every header() redirect needs an exit/die statement to stop code execution.

jimbopp · August 20, 2020, 5:54pm

Hi sorry for my super late reply! Thanks for yours!

jimbopp · August 20, 2020, 7:16pm

Also here is the update to my code here…

if ($pageSubPage === 'secu') {

    if (isset($_POST['edit_secuSettings-submit'])) {

        // Check that the post session matches the hidden post value - prevents form resubmission

        if (checkPostSession() == false) {

            header('Location: '.SITE_URL.'?page=Admin&sp=secu&sysmsg=postref'.$sysMsgCon.$randSysMsgID);

            exit;

        } else {

            if (USER['power'] < 9) {

                // Insufficient user permissions!

                header('Location: '.SITE_URL.'?page=Admin&sp=secu&sysmsg=nopwr'.$sysMsgCon.$randSysMsgID);

                exit;

            } else if (isset($_POST['edit_loginfaillimit']) && 

                isset($_POST['edit_loginfailtime']) && 

                isset($_POST['edit_allowregistration'])) {

                // Filter INPUT_POST Function Array

                $postFilter = filter_input_array(INPUT_POST, [

                    "edit_loginfaillimit" => FILTER_SANITIZE_STRING,

                    "edit_loginfailtime" => FILTER_SANITIZE_STRING,

                    "edit_allowregistration" => FILTER_SANITIZE_STRING,

                ]);

                // Trim all Values left and right

                $postFilter = array_map('trim', $postFilter);

                // POST LOGIC

                if (is_numeric($postFilter['edit_loginfaillimit']) && $loginFailLimit != $postFilter['edit_loginfaillimit'] || 

                    is_numeric($postFilter['edit_loginfailtime']) && $loginFailTime != $postFilter['edit_loginfailtime'] || 

                    is_numeric($postFilter['edit_allowregistration']) && $allowRegistration != $postFilter['edit_allowregistration']) {

                    

                    if (!$siteAdmin->updateSecuritySettings(

                        $postFilter['edit_loginfaillimit'],

                        $postFilter['edit_loginfailtime'],

                        $postFilter['edit_allowregistration'])) {

                        // SQL Error - The database was not updated!

                        header('Location: '.SITE_URL.'?page=Admin&sp=secu&sysmsg=settupdt0'.$sysMsgCon.$randSysMsgID);

                        exit;

                    } else {

                        // The database has been updated!

                        header('Location: '.SITE_URL.'?page=Admin&sp=secu&sysmsg=settupdt1'.$sysMsgCon.$randSysMsgID);

                        exit;

                    }

                } else {

                    // You must change at least one field to submit an update!

                    header('Location: '.SITE_URL.'?page=Admin&sp=secu&sysmsg=pstfld0'.$sysMsgCon.$randSysMsgID);

                    exit;

                }// END POST LOGIG

            }

        }

    }

}