0

So I have a form that looks so.

<form action="thanks.php" method="post" class="niceform" name="myform">
<table>
<tr>
<td><label for="company_name">Company Name</label></td>
<td><input type="text" name="company" value="" size="38" /></td>
</tr>
// and so on

I have the validation by javascript. But the problem is that when I go directly to thanks.php from localhost/mysite/form/thanks.php I have an empty row that is inserted when I look at phpmyadmin. Thanks.php looks like so.

<?php
// open the connection
$conn = mysql_connect("localhost", "root", "password");
// pick the database to use
mysql_select_db("company_register",$conn);

$sql = "INSERT INTO `tblsignups` VALUES ('NULL', '$_POST[company]', '$_POST[email]', '$_POST[phone]', '$_POST[address]', '$_POST[comments]', '$_POST[contact_person]')";

$result = mysql_query($sql, $conn) or die(mysql_error());

mysql_close($conn);
?>
// And I have a thank you msg I display

How do I check that if some one should directly go to thanks.php I tell them to go fill the form first and do not put anything on the database

Improve this question
3
  • 3
    Side point, you need to start sanitising your POST vars before trying to insert them into the database. Commented Sep 20, 2011 at 9:03
  • To elaborate, your database is subject to something called "SQL Injection". Someone could very easily erase your entire database because of the way you construct your query string. Instead, try using a prepared statement: php.net/manual/en/class.mysqli-stmt.php Commented Sep 20, 2011 at 9:06
  • Thank you JonStirling . But more importantly @SkyKelsey I appreciate the explanation. I will search for best practises for sanitation Mysql/Php and revise my code accordingly ! Commented Sep 20, 2011 at 12:32

9 Answers 9

Reset to default
2

You need to check if the form was submitted. You probably want something like:

<?php

if ($_POST)
{
    // open the connection
    $conn = mysql_connect("localhost", "root", "password");
    // pick the database to use
    mysql_select_db("company_register",$conn);

    $sql = "INSERT INTO `tblsignups` VALUES ('NULL', '$_POST[company]', '$_POST[email]', '$_POST[phone]', '$_POST[address]', '$_POST[comments]', '$_POST[contact_person]')";

    $result = mysql_query($sql, $conn) or die(mysql_error());

    mysql_close($conn);
}

?>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

here is a sketch example

after receiving POST data you have to check it and raise error flag
in case of some errors show the form back instead of saving it 

<?  
if ($_SERVER['REQUEST_METHOD']=='POST') {  

  $err = array();
  //performing all validations and raising corresponding errors
  if (empty($_POST['name']) $err[] = "Username field is required";  
  if (empty($_POST['text']) $err[] = "Comments field is required";  

  if (!$err) {  
    // if no errors - saving data 
    // and then redirect:
    header("Location: ".$_SERVER['PHP_SELF']);
    exit;
  }  else {
    // all field values should be escaped according to HTML standard
    foreach ($_POST as $key => $val) {
      $form[$key] = htmlspecialchars($val);
    }
} else {
  $form['name'] = $form['comments'] = '';  
}
include 'form.tpl.php';
?>

and modify your form to make it possible to show errors

<? if ($err): ?>
  <? foreach($err as $e): ?>
<div class="err"><?=$e?></div>
  <? endforeach ?>
<? endif ?>
<form>
  <input type="text" name="name" value="<?=$form['name']?>">
  <textarea name="comments"><?=$form['comments']?></textarea>
  <input type="submit">
</form>
Improve this answer

Comments

1

you can check for all as

if(empty($_POST['company']))
{
//redirect or show error msg that its required
}
else
{
//do what you want
}

and accordingly for all.

if you have posted form $_POST will always be true so when you have to check for empty values you have to check like this for all.

 if(empty($_POST['company']) || empty($_POST['email']) || empty($_POST['user']))

and so on.

Improve this answer

Comments

1

Check if the company name has been provided in the request and is not empty. Redirect the user to the form if there is no company name, possibly with an error message.

The form:

<form action="thanks.php" method="post" class="niceform" name="myform">
<?php if($_GET['error']): ?>
<span class="error">Please fill the required fields!</span>
<?php endif; ?>
<table>
<tr>
<td><label for="company_name">Company Name</label></td>
<td><input type="text" name="company" value="" size="38" /></td>
</tr>

Thanks.php:

<?php
// Is company specified?
if(!isset($_POST['company']) || $_POST['company'] == '') {
    header('Location: form.php?error=1');
    exit();
}

// open the connection
$conn = mysql_connect("localhost", "root", "password");
// pick the database to use
mysql_select_db("company_register",$conn);

$sql = "INSERT INTO `tblsignups` VALUES ('NULL', '$_POST[company]', '$_POST[email]', '$_POST[phone]', '$_POST[address]', '$_POST[comments]', '$_POST[contact_person]')";

$result = mysql_query($sql, $conn) or die(mysql_error());

mysql_close($conn);
?>
Improve this answer

Comments

1

Checking if there is $_POST is not enough. Redirect after the post - otherwise if you add a row, and refresh the page, you'll end up with 2 records in the database. So post to process.php, and from process.php redirect to thanks.php. Also, validate in PHP, not in JavaScript

Improve this answer

Comments

1

Just check below code

<?php
// open the connection
$conn = mysql_connect("localhost", "root", "password");
// pick the database to use
mysql_select_db("company_register",$conn);

if($_POST[company]!="" or $_POST[email]!=""  or $_POST[phone]!="" or $_POST[address]!="" ) {
    $sql = "INSERT INTO `tblsignups` VALUES ('NULL', '$_POST[company]', '$_POST[email]', '$_POST[phone]', '$_POST[address]', '$_POST[comments]', '$_POST[contact_person]')";
    $result = mysql_query($sql, $conn) or die(mysql_error());   
} else {
   echo "Please fill all fields ";
}

mysql_close($conn);
Improve this answer

Comments

0 
if(count($_POST)>0){
    // your code...
}
else{
   // else code...
}
Improve this answer

Comments

0

First and foremost: do not use a table inside a form. (I'm sorry couldn't resist, but this hurts my eyes)

On topic: Always remember to have validation on both your front- and backend.

So in this case add some validation to your php file like:

<?php

if(empty($_POST['company']))
{
// show validation message
} else {

// open the connection
$conn = mysql_connect("localhost", "root", "password");
// pick the database to use
mysql_select_db("company_register",$conn);

$sql = "INSERT INTO `tblsignups` VALUES ('NULL', '$_POST[company]', '$_POST[email]', '$_POST[phone]', '$_POST[address]', '$_POST[comments]', '$_POST[contact_person]')";

$result = mysql_query($sql, $conn) or die(mysql_error());

mysql_close($conn);
}
?>
Improve this answer

Comments

-1

Just check to see if all the required form fields exist. If they don't exist, redirect to your form page.

if(!array_key_exists("company", $_POST){
   header('Location: http://your.form.page.html');
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.