0

I have created a form (enquiry form) in HTML that posts to the following code:

<?php           
if(isset($_POST['submit']))

{
$name = mysql_real_escape_string((string)$_POST['name']);
$surname = mysql_real_escape_string((string)$_POST['surname']);
$email = mysql_real_escape_string((string)$_POST['email']);
$phone = mysql_real_escape_string((string)$_POST['phone']);
$country = mysql_real_escape_string((string)$_POST['country']);
$message = mysql_real_escape_string((string)$_POST['message']);

$sql = "INSERT INTO contact
       (name, surname, email, phone, country, message)
       VALUES('$name', '$surname', '$email', '$phone', '$country', '$message')";

mysql_select_db($db);
$retval = mysql_query( $sql, $conn )or die(mysql_error());

echo 'Thank you '.$name.' '.$surname.'. Your enquiry has been forwarded to our team. <br><br>Please check you email inbox for further information.<br><br>Return to homepage:<br><br><button class="search" onclick="/">Return to homepage</button>';

mysql_close($conn);
}

?>

I am wondering, how I can display errors and stop the form posting when invalid or zero data is entered?

Whilst learning how to create forms on the web, I also heard about SQL injections. Am I protected?

Help much appreciated.

Improve this question

2 Answers 2

Reset to default
4

I am wondering how I can display errors and stop the form posting when invalid or zero data is entered.

You have to do the validation after if(isset($_POST['submit'])). For example you could check is name is non empty:

if (empty($_POST['name'])) {
    $errors[] = 'name must not be empty';
}

For more complicated validations such as validating that email is valid, you should take a look at the filter extension:

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
if (!$email) // invalid email

And after all your validations:

if (!count($errors)) {
    // do the insert here
}

You could use a while block to break as soon as you detect an error:

while (isset($_POST['submit'])) {

    if (empty($_POST['name'])) {
        $errors = 'name must not be empty';
        break;
    }

    // do the insert here

    break;
}

Whilst learning how to create forms on the web, I also heard about sql injections, am I protected?

Yes, as long as you escape anything that you embed in a SQL query (just like you are doing), you are protected.

You should try using prepared statements, this is safer and easier to use.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

...as long as you escape all the string values you embed in a SQL query, not variables.
@Col. Shrapnel Basically, all submitted values are strings. There is a difference between a numeric value ("123") and an integer (123). Therefore I find it good practice to cast values for int columns to integers, besides escaping string inputs.
I mean for the SQL, the only string value is one enclosed in quotes
-1 
<?php           
if(isset($_POST['submit']))
{
$errors = array();
$name = !empty($_POST['name']) ? mysql_real_escape_string((string)$_POST['name']) : $errors[] = 'Name must not be empty';
$surname = !empty($_POST['name']) ? mysql_real_escape_string((string)$_POST['name']) : $errors[] = 'User Name must not be empty';
$email = !empty($_POST['email']) ? mysql_real_escape_string((string)$_POST['email']) : $errors[] = 'Email must not be empty';
$phone = !empty($_POST['phone']) ? mysql_real_escape_string((string)$_POST['phone']) : $errors[] = 'Phone must not be empty';
$country = !empty($_POST['country']) ? mysql_real_escape_string((string)$_POST['country']) : $errors[] = 'Country must not be empty';
$message = !empty($_POST['message']) ? mysql_real_escape_string((string)$_POST['message'])  : $errors[] = 'Message must not be empty';

if (empty($errors))
{   
if (preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email))
{
    $sql = "INSERT INTO contact
   (name, surname, email, phone, country, message)
   VALUES('$name', '$surname', '$email', '$phone', '$country', '$message')";

    mysql_select_db($db);
    $retval = mysql_query( $sql, $conn )or die(mysql_error());

    echo 'Thank you '.$name.' '.$surname.'. Your enquiry has been forwarded to our team. <br><br>Please check you email inbox for further information.<br><br>Return to homepage:<br><br><button class="search" onclick="/">Return to homepage</button>';

    mysql_close($conn);
}
else {
    echo 'Invalid Email';   
}
}
else
{
foreach ($errors AS $error) 
{
    echo "$error<br />";    
}
}
}

?>

Improve this answer

1 Comment

It's a bad practice to sql-escape variables too early. You should not even assign them with the escaped value (and ideally you should use prepared statements).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.