Jump to content

Recommended Posts

i have a website for a client but the database which is setup for it is getting blank information sent to it i have tested to forms they send fine on my end, but am still getting them and do not understand how or why the forms are protected by saying they must have a value in them and the database has not null on it but still ends up with nothing in it am very confused on this one anyone have any ideas on this or need more information ?

just some guesses -

 

1) you are not validating the data in php form processing code. doing this in the form won't stop anyone from submitting anything they want or from submitting empty values.

 

2) empty form fields are not null values. they are empty strings. putting an empty string or a non-existent variable inside of ' ' in your query makes them into empty strings and the database is 100% okay with inserting empty strings.

 

3) the data might actually be white space characters, space, tab, newlines

 

you need to trim, filter, validate, and escape the data in the php form processing code.

just some guesses -

 

1) you are not validating the data in php form processing code. doing this in the form won't stop anyone from submitting anything they want or from submitting empty values.

 

2) empty form fields are not null values. they are empty strings. putting an empty string or a non-existent variable inside of ' ' in your query makes them into empty strings and the database is 100% okay with inserting empty strings.

 

3) the data might actually be white space characters, space, tab, newlines

 

you need to trim, filter, validate, and escape the data in the php form processing code.

 

the forms are validated, it is set as not null how do i stop empty strings that may be whats happening ? 

posting both your form and your php form processing code would allow someone to see what your code is doing and what to change in it.

<div class="formHolder"><form id="instantQuote"><b>Postcode:</b><label for="postcode"></label>
<input id="postcode" type="text" min="6" placeholder="E.g. BL1 5HT" required="" />
<p id="postcode_error">Enter your postcode</p>


<hr />

<b>Property Type:</b>

<select id="property"><option>Please select an option</option><option>Semi Detatched House</option><option>Detached House</option><option>Terraced House</option><option>Bungalow</option><option>Shop (A2 of any kind)</option></select>
<p id="property_error">Choose your property type</p>


<hr />

<b>Extension Location:</b>

<select id="extension"><option>Please select an option</option><option>Front Extension</option><option>Rear Single Storey Extension</option><option>Rear Double Storey Extension</option><option>Side Single Storey Extension</option><option>Side Double Storey Extension</option><option>Loft Conversion (with or without dormers)</option></select>Choose your extension location

<hr />

<b>Approx floor area (metres square, max 20)</b>

Length<input id="length" type="number" max="20" min="1" placeholder="E.g. 12" required="" />
Width<input id="width" type="number" max="20" min="1" placeholder="E.g. 14" required="" />
<p id="floor_error">Specify the approximate floor area</p>
<input id="submit" type="submit" value="Get Quote Now!" />
<input class="reset" type="button" value="Reset" />

</form>
<p id="result"></p>

</div>
<div class="formHolder"><form id="reqCallback" action="quote.php" method="post">HFS Planning can offer helpful and friendly advice about any work you are thinking about having done on your property. To request a free, no obligation telephone callback regarding your quote please enter your details here.

<b>Full Name</b>

 

<label for="name"></label>
<input id="name" type="text" placeholder="" required="" />
<p id="name_error">Please enter your name</p>
<b>Your Telephone Number</b>

 

<label for="tel"></label>
<input id="tel" type="text" placeholder="" required="" />
<p id="tel_error">Please enter your telephone number</p>
 

<b>Your Quote Details:</b>

<input id="submitReq" type="submit" value="Request Callback" />
<input class="reset" type="button" value="Reset" />

</form>
<p id="success"></p>
<?php

		include 'connect.php';		
		
		$postcode = $_POST['postcode']; 
		$property = $_POST['property']; 
		$extension = $_POST['extension']; 
		$floorArea = $_POST['floorArea']; 
		$quote = $_POST['quote']; 
		$name = $_POST['name']; 
		$tel = $_POST['tel'];
		
		
			//sanitise input
			
		function cleanInput($input) {

		  $search = array(
			'@<script[^>]*?>.*?</script>@si',   // Strip out javascript
			'@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
			    // Strip style tags properly
			'@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
		  );
		 
			$output = preg_replace($search, '', $input);
			return $output;
		}
			
		$postcode = cleanInput($postcode);
		$property = cleanInput($property);
		$extension = cleanInput($extension);
		$floorArea = cleanInput($floorArea);
		$quote = cleanInput($quote);
		$name = cleanInput($name);
		$tel = cleanInput($tel);
		

		//remove any slashes from inputs 
		
		$postcode = stripslashes($postcode);
		$property = stripslashes($property);
		$extension = stripslashes($extension);
		$floorArea = stripslashes($floorArea);
		$quote = stripslashes($quote);
		$name = stripslashes($name);
		$tel = stripslashes($tel);	
		
		$date = date('d-m-Y H:i:s');
		
				
		$insert = "INSERT INTO database (postcode, propertytype, extensionlocation, floorarea, quote, name, telephonenumber, date) VALUES ('$postcode', '$property', '$extension', '$floorArea', '$quote', '$name', '$tel', '$date')";
			
		$updateresult = $db->query($insert);
		
		if($updateresult){
			
			$to = "email";
$subject = "subject";
$message = "message $name has contacted you at $date
database link: /database.php";
$headers = "From:" . $from;
mail($to,$subject,$message,$headers);
echo "Mail Sent.";
			
			}exit();

your form processing code isn't testing if there is any data in any of the variables and it isn't even testing if a form was submitted.

 

for each piece of submitted data you need to define what is an acceptable value and if it is required or if it can be empty. for required fields, at a minimum, you need to trim the data value and if it is empty, don't even run the code for the database query.

your form processing code isn't testing if there is any data in any of the variables and it isn't even testing if a form was submitted.

 

for each piece of submitted data you need to define what is an acceptable value and if it is required or if it can be empty. for required fields, at a minimum, you need to trim the data value and if it is empty, don't even run the code for the database query.

 

can you provide an example please

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.