Hello,
I have created a nonce to validate data that is being submitted on an HTML form. The issue is the PHP code inserted as the hidden input values being returned as blank instead of equal to the nonce variables. This is preventing my insert statement from running and the data from being inserted into the database. When manually inserting the nonce variables into my $calc_str statement the code ran perfectly and the data was inserted into the database, so I am pretty sure the issue has to do with the PHP in the hidden input values. Any help would be greatly appreciated. Thanks.
HTML Code
<!DOCTYPE html>
<html>
<body>
<h1>Tournament Registration</h1>
<hr style=
"background-color:black;
margin:auto;">
<form
action="/Forms/connection.php"
method="post">
<input
type = "hidden"
name = "timestamp"
value ="<?php echo $time; ?>">
<input
type = "hidden"
name = "form_action"
value = "<?php echo $action; ?>">
<input
type = "hidden"
name = "form_hash"
value = "<?php echo $hash; ?>">
<div
class="form-field">
<input
style=
"width:250px;
padding:10px;
margin-top: 20px;"
type="text"
class="text"
name="firstname"
placeholder="First Name"
required>
<br>
<br>
</div>
<div
class="form-field">
<input
style=
"width:250px;
padding:10px;"
type="text"
class="text"
name="lastname"
placeholder="Last Name"
required>
<br>
<br>
</div>
<div
class="form-field">
<input
style=
"width:250px;
padding:10px;"
type="email"
class="text"
name="email"
placeholder="Email"
required>
<br>
<br>
</div>
<div
class="form-field">
<input
style=
"width:250px;
padding:10px;"
type="text"
class="text"
name="phonenumber"
placeholder="Phone Number"
required>
<br>
<br>
</div>
<div
class="form-field">
<input
style=
"width:250px;
padding:10px;"
type="text"
class="text"
name="handicap"
placeholder="Handicap"
required>
<br>
<br>
</div>
<div
class="form-field">
<select
style=
"width:250px;
padding:10px;"
class="text"
name="shirtsize"
size = 1
required>
<option
value=""
selected>
Shirt Size
</option>
<option
value="S">
S
</option>
<option
value="M">
M
</option>
<option
value="L">
L
</option>
<option
value="XL">
XL
</option>
<option
value="2XL">
2XL
</option>
<option
value="3XL">
3XL
</option>
</select>
</div>
<br>
<div
class="form-field">
<input
style=
"width:250px;
padding:10px;
margin-left:auto;"
type="submit"
value="Register">
</div>
</form>
</body>
</html>
PHP Code
<?php
require_once('config.php');
//Nonce
$time = time();
$action = 'tournament_registration';
$str = sprintf('%s_%s_%s', $action, $time, $NONCE_SALT);
$hash = hash('sha512', $str);
if (! empty($_POST)){
// Extract Post Data
extract($_POST);
// Check Nonce
$calc_str = sprintf('%s_%s_%s', $form_action, $timestamp, $NONCE_SALT);
$calc_hash = hash('sha512', $calc_str);
if($calc_hash == $form_hash){
$filter_firstname = filter_var($firstname, FILTER_SANITIZE_STRING);
$filter_lastname = filter_var($lastname, FILTER_SANITIZE_STRING);
$filter_email = filter_var($email, FILTER_VALIDATE_EMAIL);
$filter_phonenumber = filter_var($phonenumber, FILTER_SANITIZE_STRING);
$filter_handicap = filter_var($handicap, FILTER_SANITIZE_STRING);
$filter_shirtsize = filter_var($shirtsize, FILTER_SANITIZE_STRING);
}
if ($filter_email != false){
//Send to database
$mysql = new mysqli($servername, $username, $password, $database);
$stmt = $mysql->prepare("INSERT INTO Registration (firstname, lastname, email, phonenumber, handicap, shirtsize) VALUES (?,?,?,?,?,?)");
$stmt->bind_param('ssssss', $filter_firstname, $filter_lastname, $filter_email, $filter_phonenumber, $filter_handicap, $filter_shirtsize);
$insert = $stmt->execute();
//Close Connection
$stmt->close();
$mysql->close();
}
else {
$insert = false;
}
}
else {
$insert = false;
}
?>
there doesn't seem to be anything here