Validation does not stop data submission to Database
I am trying to create a sign up page with validations but the data still submits to database even when validation is wrong. See my code below please;
<?php
$surnameErr = $firstnameErr = $usernameErr = $emailErr = $passwordErr = $password1Err = "";
$surname = $firstname = $username = $email = $password = $password1 = "";
$status = "OK";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["surname"])) {
$surnameErr = "Surname is required";
$status = "NOTOK";
}
else {
$surname = test_input($_POST["surname"]);
if (!preg_match("/^[a-zA-Z ]*$/",$surname)) {
$surnameErr = "Only letters and white space allowed";
$status = "NOTOK";
}
}
if (empty($_POST["firstname"])) {
$firstnameErr = "First Name is required";
$status = "NOTOK";
}
else {
$firstname = test_input($_POST["firstname"]);
if (!preg_match("/^[a-zA-Z ]*$/",$firstname)) {
$firstnameErr = "Only letters and white space allowed";
$status = "NOTOK";
}
}
if (empty($_POST["username"])) {
$usernameErr = "Username is required";
$status = "NOTOK";
} else {
$username = test_input($_POST["username"]);
}
if (empty($_POST["email"])) {
$emailErr = "Email is required";
$status = "NOTOK";
} else {
$email = test_input($_POST["email"]);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$emailErr = "Invalid Email format";
$status = "NOTOK";
}
}
if (empty($_POST["password"])) {
$passwordErr = "Password is required";
$status = "NOTOK";
}
if (empty($_POST["password1"])) {
$password1Err = "Repeat password to confirm";
$status = "NOTOK";
}
else{
$connection = mysqli_connect("localhost", "root", "", "church") or die(mysql_error());
$checkuser = mysqli_query ($connection,"SELECT * FROM signup WHERE username = '$username'");
if (mysqli_num_rows ($checkuser) > 0){
echo "<script>alert('$username already exist in our database, please enter another one')</script>";
$status = "NOTOK";
}
$checkemail = mysqli_query ($connection,"SELECT * FROM signup WHERE email = '$email'");
if (mysqli_num_rows ($checkemail) > 0){
echo "<script>alert('$email already exist in our database, please enter another one')</script>";
$status = "NOTOK";
}
if ($password != $password1){
echo "<script>alert('Password does not match')</script>";
$status = "NOTOK";
}
$password=md5($password);
$datainsert = mysqli_query ($connection, "INSERT INTO signup (surname, firstname, username, email, password) VALUES ('$surname', '$firstname','$username','$email','$password')") or die(mysql_error());
echo "<script>alert('Sign Up Successful!')</script>";
}
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>