Proper form validation (PHP/MySql)

Question

I'm getting the following error when I run this code:

Parse error: syntax error, unexpected ',', expecting ')' in /Applications/XAMPP/...results.php on line 43

Line 43 corresponds to the query line below.

Here is my code. The variables are related to form inputs from a questionnaire page. $source_of_fund_1 and $source_of_fund_1 are related to radio button form inputs. The other variables are related to text fields/areas. I'm using validation of isset for the radio button variables and !empty for the text field/areas.

<?php

$source_of_fund_1 = $_POST['source_of_fund_1'];
$source_of_fund_2 = $_POST['source_of_fund_2'];
$repayment_date = $_POST['repayment_date'];
$do_differently = $_POST['do_differently'];

require_once 'connect.inc.php';

$query = "INSERT INTO tablename 
            (source_of_fund_1, source_of_fund_2, repayment_date, do_differently)
            VALUES 
            ('$source_of_fund_1', '$source_of_fund_2', '$repayment_date',  '$do_differently')";

$result = @mysqli_query($link, $query);

if (($result) && !empty($repayment_date, $do_differently) 
        && isset($source_of_fund_1, $source_of_fund_2)) {
    echo 'Thank you for your submission.';
} else {
    echo 'We were unable to process your information.'.mysqli_error($link).'Please ensure all required fields were filled out.';
}

mysqli_close($link);

?>

Any help at all would be much appreciated! Thank you!

**warning** your code is vulnerable to sql injection attacks! — Daniel A. White, Jul 26 '13 at 18:26
Why are you checking whether all `$_POST` data are filled **after** you run the MySQL query? — Petr R., Jul 26 '13 at 18:31
How to prevent SQL injection in PHP: http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php — WWW, Jul 26 '13 at 18:33

score 3 · Answer 1 · answered Jul 26 '13 at 18:26

3

Your problem is with the empty call. It does not take more than one parameter:

!empty($repayment_date, $do_differently)

should be:

!empty($repayment_date) && !empty($do_differently)

answered Jul 26 '13 at 18:26

immulatin

2,118
1
12
13

Glad to help. If it worked for you, you should accept the answer for future reference when people come across this question. – immulatin Jul 27 '13 at 18:19

score 0 · Accepted Answer · answered Jul 26 '13 at 18:28

0

The immediate issue is, I think, because you're using empty with multiple parameters - unlike isset, it only takes one.

There are a couple of other issues, though.

Don't suppress any errors with the @ - if something goes wrong, you want to know about it, so you can handle it appropriately.
You're passing content from $_POST directly into your SQL with no sanity checking. This is not safe. At the least you should be using mysqli_real_escape_string - but if you're using mysqli, why not make it into a prepared statement, and bind the variables instead? It's much, much safer.

answered Jul 26 '13 at 18:28

andrewsi

10,807
132
35
51

Hi, thanks! What do you mean by making a prepared statement and binding the variables? – user2547925 Jul 26 '13 at 19:26
Have a look at this answer here: http://stackoverflow.com/a/60496/1315962 - it's a way to help you write more secure code. As things stand, if someone enters data that includes an apostrophe, it will at best break your query; and possibly do much, much worse. Prepared statements help you avoid that sort of thing. – andrewsi Jul 26 '13 at 19:33

Proper form validation (PHP/MySql)

2 Answers2