mcc_22ri Posted May 19, 2012 Share Posted May 19, 2012 Hi Everyone, I'm trying to figure out why my my form isn't accepting any values I put into it. I've been trying to figure this out for the past 2 hrs and I'm stumped. Any ideas please let me know. Thanks everyone! http://whatsmyowncarworth.com/auto/form2.php <?php include('init.php'); $firstname = mysql_real_escape_string($_POST['firstname']); $lastname = mysql_real_escape_string($_POST['lastname']); $address = mysql_real_escape_string($_POST['address']); $state = mysql_real_escape_string($_POST['state']); $city = mysql_real_escape_string($_POST['city']); $sql="INSERT INTO customers (first_name, last_name, address, state, city) VALUES('$firstname','$lastname','$address','$state','$city')"; if ($firstname && $lastname && $address && $state && $city) { } else echo "You must fill the entire form!"; ?> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://whatsmyowncarworth.com/auto/form.php <html> <body> <form method="post" action="form2.php"> <table> <tr> <td>Firstname:</td> <td><input type="text" name="firstname"></td> </tr> <tr> <td>Lastname:</td> <td><input type="text" name="lastname"></td> </tr> <tr> <td>Address:</td> <td><input type="text" name="address"></td> </tr> <tr> <td>State:</td> <td><input type="text" name="state"></td> </tr> <tr> <td>City:</td> <td><input type="text" name="city"></td> </tr> <tr> <td><input type="submit" name="submit" value="Register!"></td> </tr> </table> </form> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/262787-my-form-isnt-accepting-inputted-values/ Share on other sites More sharing options...
noXstyle Posted May 19, 2012 Share Posted May 19, 2012 Ok, whats the problem here? I just get text saying '1 record added' when filling the form. Did you fix this already? And yeah, you might want to do the sql insert only if the form is filled. Also you could loop the $_POST variables instead of manually assigning them: foreach($_POST as $k=>$v) ${$k} = mysql_real_escape_string($v); Quote Link to comment https://forums.phpfreaks.com/topic/262787-my-form-isnt-accepting-inputted-values/#findComment-1346888 Share on other sites More sharing options...
mcc_22ri Posted May 19, 2012 Author Share Posted May 19, 2012 Hi noXstyle and everyone! I was playing around with the code and got it for a few mins but if you clicked "submit" and didn't enter any information then blank info. was being inserted into my database. I changed the code around a little bit and now it really can't work. Do I have to declare the id? or perhaps my if statement is messed up. Is that where I'm going wrong? Thanks everyone! <?php include('init.php'); $firstname = mysql_real_escape_string($_POST['firstname']); $lastname = mysql_real_escape_string($_POST['lastname']); $address = mysql_real_escape_string($_POST['address']); $state = mysql_real_escape_string($_POST['state']); $city = mysql_real_escape_string($_POST['city']); $sql="INSERT INTO customers (first_name, last_name, address, state, city) VALUES('$firstname','$lastname','$address','$state','$city')"; if (!mysql_query ($firstname && $lastname && $address && $state && $city)) { } else echo "You must fill the entire form!"; ?> Quote Link to comment https://forums.phpfreaks.com/topic/262787-my-form-isnt-accepting-inputted-values/#findComment-1346891 Share on other sites More sharing options...
noXstyle Posted May 19, 2012 Share Posted May 19, 2012 Ok, so yea now you got it all wrong... Line: if (!mysql_query ($firstname && $lastname && $address && $state && $city)) { doesn't do anything. When you insert data you do mysql_query($sql). Also that checks if mysql_query() fails. And it does indeed without proper query. My suggestion to your code would be: <?php include('init.php'); foreach($_POST as $k=>$v) ${$k} = mysql_real_escape_string($v); if (!empty($firstname) && !empty($lastname) && !empty($address) && !empty($state) && !empty($city)) { $sql="INSERT INTO customers (first_name, last_name, address, state, city) VALUES('$firstname','$lastname','$address','$state','$city')"; if(!mysql_query($sql)) echo 'Error while inserting data to database'; else // no empty values and database insert was successful, output success message or something } else echo "You must fill the entire form!"; Quote Link to comment https://forums.phpfreaks.com/topic/262787-my-form-isnt-accepting-inputted-values/#findComment-1346892 Share on other sites More sharing options...
PFMaBiSmAd Posted May 19, 2012 Share Posted May 19, 2012 noXstyle, sorry to shoot down your suggested code, but you should never blindly loop over external data and populate php program variables based on keys/names from the external data. That emulates what the hacker-friendly register_globals did and allows a hacker to set any program variable to any value he wants. If the code in question has any security related variables - $loggedin, $admin, $userid, ..., your code just provided a hacker with a way to become logged in, an admin, or any userid he chooses. You would instead loop over an array or list of expected external variable names or add a unique prefix to the resulting php variables that would prevent overwriting any existing php variables. Quote Link to comment https://forums.phpfreaks.com/topic/262787-my-form-isnt-accepting-inputted-values/#findComment-1346893 Share on other sites More sharing options...
noXstyle Posted May 19, 2012 Share Posted May 19, 2012 noXstyle, sorry to shoot down your suggested code, but you should never blindly loop over external data and populate php program variables based on keys/names from the external data. That emulates what the hacker-friendly register_globals did and allows a hacker to set any program variable to any value he wants. If the code in question has any security related variables - $loggedin, $admin, $userid, ..., your code just provided a hacker with a way to become logged in, an admin, or any userid he chooses. You would instead loop over an array or list of expected external variable names or add a unique prefix to the resulting php variables that would prevent overwriting any existing php variables. Oh sh*t, yeah sorry.. I was wrong here. To be honest, the idea of somebody storing security related data as included variables didn't even cross my mind. Thank you PFMaBiSmAd for straightening this out. I was going to run an escape loop through the post superglobal but couldn't be arsed to change the variable names. Quote Link to comment https://forums.phpfreaks.com/topic/262787-my-form-isnt-accepting-inputted-values/#findComment-1346897 Share on other sites More sharing options...
mcc_22ri Posted May 19, 2012 Author Share Posted May 19, 2012 Hi noXstyle and PFMaBiSmAd. I appreciate the responses but I'm a little confused as to how they code show appear on my website? What should/shouldn't I do? Also, the code that noXstyle wrote I'm not going to use it on my website but theirs one small piece of the code I don't understand. It's this part foreach($_POST as $k=>$v) ${$k} = mysql_real_escape_string($v); Where did you get the $k and $v variables from? The rest of the code I can read/understand but that's one part that does not make any sense to me. Please advise and thanks for everyones help! Quote Link to comment https://forums.phpfreaks.com/topic/262787-my-form-isnt-accepting-inputted-values/#findComment-1346906 Share on other sites More sharing options...
Barand Posted May 20, 2012 Share Posted May 20, 2012 $k and $v are the keys and values of the elements of the $_POST array http://php.net/manual/en/control-structures.foreach.php Quote Link to comment https://forums.phpfreaks.com/topic/262787-my-form-isnt-accepting-inputted-values/#findComment-1346925 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.