php: check if variable is not empty before running INSERT query

Question

I built a song request form for my wedding website and would like to check if the variables I am storing the form input in is empty before POST'ing to the database. My goal is simple prevent blank rows from being added to mysql db when the for is fired off.

 <?php 
// extract data from form; store in variable
$artist =  $_POST["artist"];
$song = $_POST["song"];

// connect to server 
$conn = mysql_connect('host', 'user', 'pass');


// check if you can connect; if not then die

if (!$conn) {
    echo "<center>";
    die('Could Not Connect: ' . mysql_error());
    echo "</center>";
    }

// check if you can select table; in not then die

$db = mysql_select_db('database', $conn);

if (!$db) {
    echo "<center>";
    die('Database Not Selected: ' . mysql_error());
    echo "</center>";
    }

// Define the query to inser the song request
$insert = mysql_query("INSERT INTO Songs (Artist, Song) VALUES ('$artist', '$song')");  

// check if above variables are empty 
if (!empty($artist) and !empty($song)) {
    echo "<center>";
    echo "Insert was succesful<br>";
    echo "<a href='index.html' target='_self' >Back</a>";
    echo "</center>";
}
else {
    echo "<center>";
    die("Please fill in at least the artist name");
    echo "</center>";
}

// close the connection to the server
mysql_close($conn);
?>

I have the above in a file called insert.php which is fired off when form on the index page is submitted. Form is submitting using POST and works just fine, however I would like to prevent blank submissions from happening.

Very new to programming and want to learn how to do this right.

Thanks for your patience.

jeremy · Answer 1 · 2019-11-27T04:48:55.320

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

However, as a straightforward answer to your question: instead of validating after you've inserted the results, validate before. Also, remember to sanitize (using mysql_real_escape_string) anything you insert into a database if you do use mysql_* functions. Sanitizing inputs will prevent from SQL injections and remove some vulnerability issues.

if($errors) {
    // there are errors, don't submit to database
    // run through error display process

} else {
    // submit to database
    $insert = mysql_query("INSERT INTO Songs (Artist, Song) VALUES ('$artist', '$song')");
}

I will look into prepared statements and the use of mysqli. Thank you very much for the help. — user1763208, Dec 26 '12 at 18:55

score 2 · Accepted Answer · answered Dec 26 '12 at 18:48

You are so close! All you had to do was put the insert after you do a check if the artist and song are filled in!

<?php 
    // extract data from form; store in variable
    $artist =  $_POST["artist"];
    $song = $_POST["song"];

    // connect to server 
    $conn = mysql_connect('host', 'user', 'pass');

    // check if you can connect; if not then die

    if (!$conn) {
        echo "<center>";
        die('Could Not Connect: ' . mysql_error());
        echo "</center>";
    }

    // check if you can select table; in not then die

    $db = mysql_select_db('database', $conn);

    if (!$db) {
        echo "<center>";
        die('Database Not Selected: ' . mysql_error());
        echo "</center>";
    }

    // check if above variables are empty 
    if (!empty($artist) and !empty($song)) {
        // Define the query to inser the song request
        $insert = mysql_query("INSERT INTO Songs (Artist, Song) VALUES ('$artist', '$song')");  

        if($insert) {
          echo "<center>";
          echo "Insert was succesful<br>";
          echo "<a href='index.html' target='_self' >Back</a>";
          echo "</center>";
        }
    }
    else {
        echo "<center>";
        die("Please fill in at least the artist name");
        echo "</center>";
    }

    // close the connection to the server
    mysql_close($conn);

That's it!

Thank you all. That worked and I should have seen that in the code. Appreciate the quick help and for mentioning the user of prepared statements instead. — user1763208, Dec 26 '12 at 18:58
in your response Nile. that bit about prepared statements was meant for you — user1763208, Dec 26 '12 at 19:06

score 0 · Answer 3 · answered Dec 26 '12 at 18:46

0

Using empty should be enough. There is isset also

http://php.net/manual/en/function.isset.php

answered Dec 26 '12 at 18:46

jose

2,733
4
37
51

score 0 · Answer 4 · answered Dec 26 '12 at 18:50

Well, you already have your check with empty. Just move it before the insert and act accordingly

if (empty($artist)) {
    echo "<center>";
    die("Please fill in at least the artist name");
    echo "</center>";
}

or check both

if (empty($artist) or empty($song)) {
...
}

score 0 · Answer 5 · answered Dec 26 '12 at 18:57

0

First validating the variables through function or using if statement like

if (!empty($artist) && !empty($song))
 { $insert = mysql_query("INSERT INTO Songs (Artist, Song) VALUES ('$artist', '$song')");}

answered Dec 26 '12 at 18:57

zafus_coder

4,451
2
12
13

php: check if variable is not empty before running INSERT query

5 Answers5

Linked