blank information being submitted to database

[andylord56]

i have a website for a client but the database which is setup for it is getting blank information sent to it i have tested to forms they send fine on my end, but am still getting them and do not understand how or why the forms are protected by saying they must have a value in them and the database has not null on it but still ends up with nothing in it am very confused on this one anyone have any ideas on this or need more information ?

[trq]

anyone have any ideas on this or need more information

What steps (if any) have you taken to debug the issue?

[andylord56]

What steps (if any) have you taken to debug the issue?

well i thought that by changing the php of the site by stopping blank entries in it would stop it but it hasnt and changing the database but that has had not luck as well

[mac_gyver]

just some guesses -

 

1) you are not validating the data in php form processing code. doing this in the form won't stop anyone from submitting anything they want or from submitting empty values.

 

2) empty form fields are not null values. they are empty strings. putting an empty string or a non-existent variable inside of ' ' in your query makes them into empty strings and the database is 100% okay with inserting empty strings.

 

3) the data might actually be white space characters, space, tab, newlines

 

you need to trim, filter, validate, and escape the data in the php form processing code.

[andylord56]

just some guesses -

 

1) you are not validating the data in php form processing code. doing this in the form won't stop anyone from submitting anything they want or from submitting empty values.

 

2) empty form fields are not null values. they are empty strings. putting an empty string or a non-existent variable inside of ' ' in your query makes them into empty strings and the database is 100% okay with inserting empty strings.

 

3) the data might actually be white space characters, space, tab, newlines

 

you need to trim, filter, validate, and escape the data in the php form processing code.

 

the forms are validated, it is set as not null how do i stop empty strings that may be whats happening ? 

[mac_gyver]

posting both your form and your php form processing code would allow someone to see what your code is doing and what to change in it.

[andylord56]

posting both your form and your php form processing code would allow someone to see what your code is doing and what to change in it.

<div class="formHolder"><form id="instantQuote"><b>Postcode:</b><label for="postcode"></label>
<input id="postcode" type="text" min="6" placeholder="E.g. BL1 5HT" required="" />
<p id="postcode_error">Enter your postcode</p>


<hr />

<b>Property Type:</b>

<select id="property"><option>Please select an option</option><option>Semi Detatched House</option><option>Detached House</option><option>Terraced House</option><option>Bungalow</option><option>Shop (A2 of any kind)</option></select>
<p id="property_error">Choose your property type</p>


<hr />

<b>Extension Location:</b>

<select id="extension"><option>Please select an option</option><option>Front Extension</option><option>Rear Single Storey Extension</option><option>Rear Double Storey Extension</option><option>Side Single Storey Extension</option><option>Side Double Storey Extension</option><option>Loft Conversion (with or without dormers)</option></select>Choose your extension location

<hr />

<b>Approx floor area (metres square, max 20)</b>

Length<input id="length" type="number" max="20" min="1" placeholder="E.g. 12" required="" />
Width<input id="width" type="number" max="20" min="1" placeholder="E.g. 14" required="" />
<p id="floor_error">Specify the approximate floor area</p>
<input id="submit" type="submit" value="Get Quote Now!" />
<input class="reset" type="button" value="Reset" />

</form>
<p id="result"></p>

</div>
<div class="formHolder"><form id="reqCallback" action="quote.php" method="post">HFS Planning can offer helpful and friendly advice about any work you are thinking about having done on your property. To request a free, no obligation telephone callback regarding your quote please enter your details here.

<b>Full Name</b>

 

<label for="name"></label>
<input id="name" type="text" placeholder="" required="" />
<p id="name_error">Please enter your name</p>
<b>Your Telephone Number</b>

 

<label for="tel"></label>
<input id="tel" type="text" placeholder="" required="" />
<p id="tel_error">Please enter your telephone number</p>
 

<b>Your Quote Details:</b>

<input id="submitReq" type="submit" value="Request Callback" />
<input class="reset" type="button" value="Reset" />

</form>
<p id="success"></p>

<?php

		include 'connect.php';		
		
		$postcode = $_POST['postcode']; 
		$property = $_POST['property']; 
		$extension = $_POST['extension']; 
		$floorArea = $_POST['floorArea']; 
		$quote = $_POST['quote']; 
		$name = $_POST['name']; 
		$tel = $_POST['tel'];
		
		
			//sanitise input
			
		function cleanInput($input) {

		  $search = array(
			'@<script[^>]*?>.*?</script>@si',   // Strip out javascript
			'@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
			    // Strip style tags properly
			'@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
		  );
		 
			$output = preg_replace($search, '', $input);
			return $output;
		}
			
		$postcode = cleanInput($postcode);
		$property = cleanInput($property);
		$extension = cleanInput($extension);
		$floorArea = cleanInput($floorArea);
		$quote = cleanInput($quote);
		$name = cleanInput($name);
		$tel = cleanInput($tel);
		

		//remove any slashes from inputs 
		
		$postcode = stripslashes($postcode);
		$property = stripslashes($property);
		$extension = stripslashes($extension);
		$floorArea = stripslashes($floorArea);
		$quote = stripslashes($quote);
		$name = stripslashes($name);
		$tel = stripslashes($tel);	
		
		$date = date('d-m-Y H:i:s');
		
				
		$insert = "INSERT INTO database (postcode, propertytype, extensionlocation, floorarea, quote, name, telephonenumber, date) VALUES ('$postcode', '$property', '$extension', '$floorArea', '$quote', '$name', '$tel', '$date')";
			
		$updateresult = $db->query($insert);
		
		if($updateresult){
			
			$to = "email";
$subject = "subject";
$message = "message $name has contacted you at $date
database link: /database.php";
$headers = "From:" . $from;
mail($to,$subject,$message,$headers);
echo "Mail Sent.";
			
			}exit();

[mac_gyver]

your form processing code isn't testing if there is any data in any of the variables and it isn't even testing if a form was submitted.

 

for each piece of submitted data you need to define what is an acceptable value and if it is required or if it can be empty. for required fields, at a minimum, you need to trim the data value and if it is empty, don't even run the code for the database query.

[andylord56]

your form processing code isn't testing if there is any data in any of the variables and it isn't even testing if a form was submitted.

 

for each piece of submitted data you need to define what is an acceptable value and if it is required or if it can be empty. for required fields, at a minimum, you need to trim the data value and if it is empty, don't even run the code for the database query.

 

can you provide an example please

[mac_gyver]

one of the original purposes of php was to be a "Forms Interpreter" FI. there's probably 2,000,000 examples of php code that checks submitted form data posted all over the place on the Internet for you to find.