xerox02 Posted July 23, 2010 Share Posted July 23, 2010 Here is the part of my site that has access to my mysql tables http://excusesexcuses.net/submit1.php . I don't know why when I look at my table, I have some empty rows for no reason. It would seem impossible with the way my php is to have empty entries. When my program has a empty field, it WON't even go to mysql. If people want to see the code: <?php $con = mysql_connect("","",""); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("mydatabase", $con); require_once('recaptchalib.php'); $privatekey = ""; $resp = recaptcha_check_answer ($privatekey, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); $sql="INSERT INTO `pendingquotes` (`quotes`, `email`, `name`) VALUES('".$_POST[quotes]."','".$_POST[email]."','".$_POST[name]."')"; $quote = $_POST['quotes']; if (!$resp->is_valid) { // What happens when the CAPTCHA was entered incorrectly die ("The reCAPTCHA wasn't entered correctly. Go back and try it again."); } else { if(empty($quote)) { // Tell them they missed a required field echo 'You did not write a quote.'; mysql_close($con); } else { mysql_query($sql,$con) or die(mysql_error()); echo 'Thanks for your submission '; mysql_close($con); } } ?> Quote Link to comment Share on other sites More sharing options...
xerox02 Posted July 23, 2010 Author Share Posted July 23, 2010 I trimmed the variable with trim(); Hopefully that fixed it. Quote Link to comment Share on other sites More sharing options...
xerox02 Posted July 25, 2010 Author Share Posted July 25, 2010 bump Quote Link to comment Share on other sites More sharing options...
Mchl Posted July 25, 2010 Share Posted July 25, 2010 Come on... you're inserting $_POST values straight into SQL? Ever heard of SQL injection? Quote Link to comment Share on other sites More sharing options...
xerox02 Posted July 27, 2010 Author Share Posted July 27, 2010 So would this solve the problem. $sql="INSERT INTO `pendingquotes` (`quotes`, `email`, `name`) VALUES('".$_POST[quotes]."','".$_POST[email]."','".$_POST[name]."')"; $quote = $_POST['quotes']; mysql_real_escape_string($quote); $trimmed = trim($quote); $quote1 = $_POST['email']; mysql_real_escape_string($quote1); $trimmed = trim($quote1); $quote2 = $_POST['name']; mysql_real_escape_string($quote2); $trimmed = trim($quote2); Quote Link to comment Share on other sites More sharing options...
Zane Posted July 27, 2010 Share Posted July 27, 2010 No, you didn't even put the escaped values into the query in that snippet $sql="INSERT INTO `pendingquotes` (`quotes`, `email`, `name`) VALUES('".$quote."','".$quote1."','".$quote2."')"; Quote Link to comment Share on other sites More sharing options...
xerox02 Posted July 27, 2010 Author Share Posted July 27, 2010 No, you didn't even put the escaped values into the query in that snippet $sql="INSERT INTO `pendingquotes` (`quotes`, `email`, `name`) VALUES('".$quote."','".$quote1."','".$quote2."')"; oh, thanks you! lol Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.