MYSQL , PHP inserting blanks

Question

So, i have researched this everywhere and i can't see why its inserting blanks. I use pretty much the same code in another file and that one works fine. Any Help?

<?php
//Connection

$first_name = mysqli_real_escape_string($_POST [' first_name ']) ; 
$last_name = mysqli_real_escape_string($_POST [' last_name ']) ; 
$email = mysqli_real_escape_string($_POST [' email ']) ; 
$message = mysqli_real_escape_string($_POST [' message ']) ; 

$insert_sql = "INSERT INTO generaldis (first_name, last_name, email, message)
VALUES ('$first_name', '$last_name' , '$email' , '$message');";


if (!mysql_query($insert_sql,$link))
  {
  die('Error: ' . mysql_error());
  }


echo '<h1>Whoop! Your Message Has Been Posted!</h1><br><p><a href="http://example.com ">Click Here To     Go Back</a></p>';


?>

You're mixing `mysqli_*` with `mysql_*` functions. You should use `mysqli` for your query and database connection as well. — jeroen, Jul 06 '14 at 21:10
**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Jul 06 '14 at 21:10
You are storing POST data after using `mysqli_real_escape_string` into variables and then using `$_POST` data directly in query instead of variables ? — Abhik Chakraborty, Jul 06 '14 at 21:10
you use $first_name = mysqli_real_escape_string($link, $_REQUEST['first_name']); to define a variable but not use it in your query you should use the variable in the query like $lastname instead of $_POST["last_name"] — Sven van den Boogaart, Jul 06 '14 at 21:10
Also, see http://stackoverflow.com/questions/1924939/php-request-vs-get-and-post. You are setting $first_name using $_REQUEST but then in the INSERT statement using $_POST. Use $first_name in the SQL statement — Mark Silverberg, Jul 06 '14 at 21:11

score 1 · Answer 1 · answered Jul 06 '14 at 21:22

try this:

$fields = array(
    'first_name' => "/[a-zA-Z-_]+/", 
    'last_name'  => "/[a-zA-Z-_]+/",
    'email'      => '/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/',
    'message'    => null
);

$permit = true;
foreach($fields AS $field => $regexp) {
    if(is_null($regexp)) continue;
    if(!preg_match($regexp, $_REQUEST[$field])) {
        $permit = false;
        break;
    }
}

if($permit) {
    $query = "INSERT INTO general_dis SET ";
    $values = array();
    foreach($fields AS $field => $regexp) {
        $value = $_REQUEST[$field];
        if(is_null($regexp)) {
            $value = mysql_real_escape_string($value);
        }
        $values[] = "`".$field."`='".$value."' ";
    }
    $values = implode(', ', $values);
    $query .= $values;
    mysql_query($query);
}

MYSQL , PHP inserting blanks

1 Answers1