Jump to content

My form isn't accepting inputted values?

mcc_22ri

By mcc_22ri
in PHP Coding Help

 Share

Recommended Posts

mcc_22ri Member

mcc_22ri

Posted
Posted

Hi Everyone,

 

I'm trying to figure out why my my form isn't accepting any values I put into it. I've been trying to figure this out for the past 2 hrs and I'm stumped. Any ideas please let me know. Thanks everyone!

 

http://whatsmyowncarworth.com/auto/form2.php

 

<?php
include('init.php');

$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$address = mysql_real_escape_string($_POST['address']);
$state = mysql_real_escape_string($_POST['state']);
$city = mysql_real_escape_string($_POST['city']);

$sql="INSERT INTO customers (first_name, last_name, address, state, city)
VALUES('$firstname','$lastname','$address','$state','$city')";

if ($firstname && $lastname && $address && $state && $city) {

} else
echo "You must fill the entire form!";

?>

 

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

 

http://whatsmyowncarworth.com/auto/form.php

 

<html>
<body>

<form method="post" action="form2.php">
    <table>
    <tr>
<td>Firstname:</td>
<td><input type="text" name="firstname"></td>
    </tr>
       <tr>
<td>Lastname:</td>
<td><input type="text" name="lastname"></td>
    </tr>
    <tr>
<td>Address:</td>
<td><input type="text" name="address"></td>
    </tr>
    <tr>
<td>State:</td>
<td><input type="text" name="state"></td>
    </tr>
    <tr>
<td>City:</td>
<td><input type="text" name="city"></td>
    </tr>
    <tr>
        <td><input type="submit" name="submit" value="Register!"></td>
    </tr>
    </table>
</form>

</body>
</html>

Link to comment
Share on other sites
noXstyle Newbie

noXstyle

Posted
Posted

Ok, whats the problem here? I just get text saying '1 record added' when filling the form. Did you fix this already?

 

And yeah, you might want to do the sql insert only if the form is filled.

 

Also you could loop the $_POST variables instead of manually assigning them:

foreach($_POST as $k=>$v)
${$k} = mysql_real_escape_string($v);

 

Link to comment
Share on other sites
mcc_22ri Member

mcc_22ri

Posted
  • Author
Posted

Hi noXstyle and everyone!

 

I was playing around with the code and got it for a few mins but if you clicked "submit" and didn't enter any information then blank info. was being inserted into my database. I changed the code around a little bit and now it really can't work. Do I have to declare the id? or perhaps my if statement is messed up. Is that where I'm going wrong? Thanks everyone!

 

<?php
include('init.php');

$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$address = mysql_real_escape_string($_POST['address']);
$state = mysql_real_escape_string($_POST['state']);
$city = mysql_real_escape_string($_POST['city']);

$sql="INSERT INTO customers (first_name, last_name, address, state, city)
VALUES('$firstname','$lastname','$address','$state','$city')";

if (!mysql_query ($firstname && $lastname && $address && $state && $city)) {

} else
echo "You must fill the entire form!";

?>

Link to comment
Share on other sites
noXstyle Newbie

noXstyle

Posted
Posted

Ok, so yea now you got it all wrong... Line:

if (!mysql_query ($firstname && $lastname && $address && $state && $city)) {

doesn't do anything. When you insert data you do mysql_query($sql). Also that checks if mysql_query() fails. And it does indeed without proper query. My suggestion to your code would be:

 

<?php
include('init.php');

foreach($_POST as $k=>$v)
${$k} = mysql_real_escape_string($v);

if (!empty($firstname) && !empty($lastname) && !empty($address) && !empty($state) && !empty($city)) {
  $sql="INSERT INTO customers (first_name, last_name, address, state, city)
  VALUES('$firstname','$lastname','$address','$state','$city')";
  if(!mysql_query($sql))
    echo 'Error while inserting data to database';
  else
    // no empty values and database insert was successful, output success message or something
} else
echo "You must fill the entire form!";

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

noXstyle, sorry to shoot down your suggested code, but you should never blindly loop over external data and populate php program variables based on keys/names from the external data. That emulates what the hacker-friendly register_globals did and allows a hacker to set any program variable to any value he wants. If the code in question has any security related variables - $loggedin, $admin, $userid, ..., your code just provided a hacker with a way to become logged in, an admin, or any userid he chooses.

 

You would instead loop over an array or list of expected external variable names or add a unique prefix to the resulting php variables that would prevent overwriting any existing php variables.

Link to comment
Share on other sites
noXstyle Newbie

noXstyle

Posted
Posted

noXstyle, sorry to shoot down your suggested code, but you should never blindly loop over external data and populate php program variables based on keys/names from the external data. That emulates what the hacker-friendly register_globals did and allows a hacker to set any program variable to any value he wants. If the code in question has any security related variables - $loggedin, $admin, $userid, ..., your code just provided a hacker with a way to become logged in, an admin, or any userid he chooses.

 

You would instead loop over an array or list of expected external variable names or add a unique prefix to the resulting php variables that would prevent overwriting any existing php variables.

 

Oh sh*t, yeah sorry.. I was wrong here. To be honest, the idea of somebody storing security related data as included variables didn't even cross my mind. Thank you PFMaBiSmAd for straightening this out. I was going to run an escape loop through the post superglobal but couldn't be arsed to change the variable names.

Link to comment
Share on other sites
mcc_22ri Member

mcc_22ri

Posted
  • Author
Posted

Hi noXstyle and PFMaBiSmAd.

 

I appreciate the responses but I'm a little confused as to how they code show appear on my website? What should/shouldn't I do?

 

Also, the code that noXstyle wrote I'm not going to use it on my website but theirs one small piece of the code I don't understand.

 

It's this part

foreach($_POST as $k=>$v)
${$k} = mysql_real_escape_string($v);

 

Where did you get the $k and $v variables from? The rest of the code I can read/understand but that's one part that does not make any sense to me. Please advise and thanks for everyones help!

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.