php mysql insert

[erok]

Hi people, I have form and php file to process it. I am not sure about my codes and its sequences and injection and etc..I would really appreciate any constractive criticism <form method="post" action="ekle1.php" ><input type="hidden" name="page_mode" value="register" />First name:<input type="text" name="firstname" size="30" maxlenght="50" /><br />Last name:<input type="text" name="lastname" size="30" maxlenght="30" /><br />Phone number:<input type="text" name="phone" size="30" maxlenght="30" /><br /><p> <b>Comment</b></p><textarea type="text" name="message" maxlenght="1000" rows="12" col="40"></textarea><br><input type="submit" name="formsubmit" value="Submit" size="30" /></form> ekle1.php file <html><head><title>insert data to database</title></head><body>if(isset($_POST['formsubmit'])) {$error_string = '';}if(isset($_POST['firstname']) && $_POST['firstname'] != "" ){$firstname = ($_POST['firstname']);$firstname = mysql_escape_string($firstname);$error_string = ''; }if(isset($_POST['lastname']) && $_POST['lastname'] != "" ){$lastname = ($_POST['lastname']);$lastname = mysql_escape_string($lastname);$error_string = '';}if(isset($_POST['phone']) && $_POST['phone'] != "" ){$phone = ($_POST['phone']);$phone = mysql_escape_string($phone);$error_string = '';}if(isset($_POST['message']) && $_POST['message'] != "" ){$message = ($_POST['message']);$message = mysql_escape_string($message);$error_string = '';}//connect to database server$con = mysql_connect(" ", " ", " ") ;if (!$con) { die('could not connect: ' .mysql_error()); }// select databasemysql_select_db("db", $con);//sql statement is builtif($error_string == '') {mysql_query("INSERT INTO employees(firstname, lastname, phone, message)VALUES('$firstname' , '$lastname' , '$phone' , '$message')"; echo("Hi, " . $firstname . ", we submitted your form!");}else {echo "we need you to fill out the form fields completely";}//close the database connectionmysql_close($con);?></body></html>

[Don E]

For the collection of if statements, I would recommend using the empty() function instead:

if(!empty($_POST['firstname'])){    $firstname = ($_POST['firstname']);    $firstname = mysql_escape_string($firstname);     $error_string = ''; }

You can actually check them all at once in one if statement like so:

if(!empty($_POST['firstname']) && !empty($_POST['lastname']) && !empty($_POST['phone']) && !empty($_POST['message'])){      // set your variables here and query database since all fields are NOT empty and contain values that are not equal to NULL and/or 0 (zero)}else{    echo 'Please fill in all fields!';}

empty() is good because it checks to see if the value is not null. isset() checks to see if a variable has been set, and it if its set to zero 0, it still still considered 'set'. If a variable is set to 0 when using function empty(), it's considered 'empty'.

[erok]

Thanks Don E ,Where am i suppose to place connection section on the php file. "$con = mysql_connect(" ", " ", " ") ;if (!$con) { die('could not connect: ' .mysql_error()); }mysql_select_db(" ", $con) ; ". What is the logical flow of the program? Does it make any difference if i have the file connect at the top or just before mysql_query.Does sequence make any difference?

[Don E]

If you're going to be making queries throughout the page, probably best to have it at the top then. In your case with the example, it would be okay to have it right before the query. Actually, its not a bad idea to have it after once all the form data is filled(meaning, once it clears validation; the if statements checking if the $_POST's are empty or not) and ready to be uploaded to the database.

[birbal]

Does sequence make any difference?

Sequence matters. php parse line by line. you have to make the conection before you use it anywhere.

$message = ($_POST['message']);$message = mysql_escape_string($message);

You done need to use parens around variable when you assign.use http://php.net/mysql_real_escape_string instead of mysql_escape_string()

echo("Hi, " . $firstname . ", we submitted your form!");

now it will not matter query inserted or not it will print it. you may like to make it conditional so that it only print it when truly query inserted. check mysql_query() return value to determine succefull query.

[erok]

Hi Birbal //"" You done need to use parens around variable when you assign.use http://php.net/mysql...l_escape_string instead of mysql_escape_string() ""//Did you mean mysql_real_escape_string()? Because I searched mysql...I_escape_string in that link i could not find it.

[birbal]

yes. if you click that link it will open it up

[erok]

Hi guys ,My php file is working.Thank you