Values get inserted in database without entering data

Question

I m trying a contact form in php where the details as to get stored in the database.If i dont enter any values it displays error msg but it gets stored in the database. How can I validate form when error message displays the data should not be entered in database. Here is the code

<?php
 $username = "root";
$password = "";
$hostname = "localhost"; 
$db = "abc";

//connection to the database
$name="";
$email="";
$batch="";
$mobile="";

    if (isset($_POST['submit'])) {
    $error = "";

    if (!empty($_POST['name'])) {
    $name = $_POST['name'];
    } else {
    $error .= "You didn't type in your name. <br />";
    }

    if (!empty($_POST['email'])) {
    $email = $_POST['email'];
      if (!preg_match("/^[_a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){ 
      $error .= "The e-mail address you entered is not valid. <br/>";
      }
    } else {
    $error .= "You didn't type in an e-mail address. <br />";
    }
if (!empty($_POST['batch'])) {
    $batch = $_POST['batch'];
    } else {
    $error .= "You didn't type batch. <br />";
    }
     if(($_POST['code']) == $_SESSION['code']) { 
    $code = $_POST['code'];
    } else { 
    $error .= "The captcha code you entered does not match. Please try again. <br />";    
    }



    if (!empty($_POST['mobile'])) {
    $mobile = $_POST['mobile'];
    } else {
    $error .= "You didn't type your Mobile Number. <br />";
    }







    if (empty($error)) {





 $success = "<b>Thank you! Your message has been sent!</b>";


    }
    }
    ?>

              <div id="contactForm">



                <?php
      if (!empty($error)) {
      $dbhandle = mysql_connect($hostname, $username, $password) or die("Unable to connect to MySQL");
mysql_select_db($db,$dbhandle) or die('cannot select db');

mysql_query("INSERT INTO contact (name,batch,email,mobile) 
                VALUES('$name','$batch','$email','$mobile') ") or die(mysql_error());
      echo '<p class="error"><strong>Your message was NOT sent<br/> The following error(s) returned:</strong><br/>' . $error . '</p>';
      } elseif (!empty($success)) {
      echo $success;
      }
    ?>

score 0 · Accepted Answer · edited May 23 '17 at 12:20

0

This is opposite of what it should be

if (!empty($error)) {
    ^
     // your database stuff here
}

You should run that query when the error is empty, and not when its not empty.

if (empty($error)) {
      // now save to database    
 }

Also go through How can I prevent SQL injection in PHP?

edited May 23 '17 at 12:20

Community

1
1

answered Nov 25 '14 at 04:28

Hanky Panky

46,730
8
72
95

score 0 · Answer 2 · answered Nov 25 '14 at 04:30

Check the condition on which you are inserting the data in the database. You are checking if (!empty($error)) which should denote that there is an error. Also since $error is a string, I would recommend you to check the values as if(trim($error) != "") rather than using empty()

score 0 · Answer 3 · edited Nov 25 '14 at 05:05

0

// also correct !empty ()
mysql_query(" INSERT INTO contact (`name`,`batch`,`email`,`mobile`) 
            VALUES('".$name."','".$batch."','".$email."','".$mobile."');

You need to concatenate the strings. If you put $email in quotes, it will be considered a string and not a variable.

edited Nov 25 '14 at 05:05

royhowie

11,075
14
50
67

answered Nov 25 '14 at 04:32

Affan

1,132
7
16

score 0 · Answer 4 · answered Nov 25 '14 at 04:33

you should use else if to check each condition..

if(isset($POST['submit'])){
if(empty($_POST['email'])){
$error[] = "email is required";
}
elseif(empty($_POST['name'])){
$error[]= "name is required;";
}
...
else{
 $email = $_POST['email'];
 $name = $_POST['name'];
// do all the stuff here
}
}

Values get inserted in database without entering data

4 Answers4