Jump to content

php mysql insert


erok
 Share

Recommended Posts

Hi people, I have form and php file to process it. I am not sure about my codes and its sequences and injection and etc..I would really appreciate any constractive criticism <form method="post" action="ekle1.php" ><input type="hidden" name="page_mode" value="register" />First name:<input type="text" name="firstname" size="30" maxlenght="50" /><br />Last name:<input type="text" name="lastname" size="30" maxlenght="30" /><br />Phone number:<input type="text" name="phone" size="30" maxlenght="30" /><br /><p> <b>Comment</b></p><textarea type="text" name="message" maxlenght="1000" rows="12" col="40"></textarea><br><input type="submit" name="formsubmit" value="Submit" size="30" /></form> ekle1.php file <html><head><title>insert data to database</title></head><body>if(isset($_POST['formsubmit'])) {$error_string = '';}if(isset($_POST['firstname']) && $_POST['firstname'] != "" ){$firstname = ($_POST['firstname']);$firstname = mysql_escape_string($firstname);$error_string = ''; }if(isset($_POST['lastname']) && $_POST['lastname'] != "" ){$lastname = ($_POST['lastname']);$lastname = mysql_escape_string($lastname);$error_string = '';}if(isset($_POST['phone']) && $_POST['phone'] != "" ){$phone = ($_POST['phone']);$phone = mysql_escape_string($phone);$error_string = '';}if(isset($_POST['message']) && $_POST['message'] != "" ){$message = ($_POST['message']);$message = mysql_escape_string($message);$error_string = '';}//connect to database server$con = mysql_connect(" ", " ", " ") ;if (!$con) { die('could not connect: ' .mysql_error()); }// select databasemysql_select_db("db", $con);//sql statement is builtif($error_string == '') {mysql_query("INSERT INTO employees(firstname, lastname, phone, message)VALUES('$firstname' , '$lastname' , '$phone' , '$message')"; echo("Hi, " . $firstname . ", we submitted your form!");}else {echo "we need you to fill out the form fields completely";}//close the database connectionmysql_close($con);?></body></html>

Link to comment
Share on other sites

For the collection of if statements, I would recommend using the empty() function instead:

if(!empty($_POST['firstname'])){    $firstname = ($_POST['firstname']);    $firstname = mysql_escape_string($firstname);     $error_string = ''; }

You can actually check them all at once in one if statement like so:

if(!empty($_POST['firstname']) && !empty($_POST['lastname']) && !empty($_POST['phone']) && !empty($_POST['message'])){      // set your variables here and query database since all fields are NOT empty and contain values that are not equal to NULL and/or 0 (zero)}else{    echo 'Please fill in all fields!';}

empty() is good because it checks to see if the value is not null. isset() checks to see if a variable has been set, and it if its set to zero 0, it still still considered 'set'. If a variable is set to 0 when using function empty(), it's considered 'empty'.

  • Like 1
Link to comment
Share on other sites

Thanks Don E ,Where am i suppose to place connection section on the php file. "$con = mysql_connect(" ", " ", " ") ;if (!$con) { die('could not connect: ' .mysql_error()); }mysql_select_db(" ", $con) ; ". What is the logical flow of the program? Does it make any difference if i have the file connect at the top or just before mysql_query.Does sequence make any difference?

Link to comment
Share on other sites

If you're going to be making queries throughout the page, probably best to have it at the top then. In your case with the example, it would be okay to have it right before the query. Actually, its not a bad idea to have it after once all the form data is filled(meaning, once it clears validation; the if statements checking if the $_POST's are empty or not) and ready to be uploaded to the database.

Link to comment
Share on other sites

Does sequence make any difference?
Sequence matters. php parse line by line. you have to make the conection before you use it anywhere.
$message = ($_POST['message']);$message = mysql_escape_string($message);
You done need to use parens around variable when you assign.use http://php.net/mysql_real_escape_string instead of mysql_escape_string()
echo("Hi, " . $firstname . ", we submitted your form!");
now it will not matter query inserted or not it will print it. you may like to make it conditional so that it only print it when truly query inserted. check mysql_query() return value to determine succefull query.
Link to comment
Share on other sites

yes. if you click that link it will open it up

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...