-2

I have a HTML contact form in which the user is allowed to write whatever he wants in the message input field. This form is being posted using AJAX and being processed in the below PHP.

My problem is that i get an empty row in the MySql Table.

I am simply wondering why $message = $_POST['message']; returns the proper value, when $message = mysql_real_escape_string($_POST['message']); returns empty string!!

What am I missing here??

  //posted data   
  $firstName  = mysql_real_escape_string($_POST['firstName']);
  $lastName   = mysql_real_escape_string($_POST['lastName']);
  $name       = $firstName. ' ' .$lastName ;
  $email      = mysql_real_escape_string($_POST['email']);
  $phone      = mysql_real_escape_string($_POST['phone']);
  $subject    = mysql_real_escape_string($_POST['subject']);
  $hear       = mysql_real_escape_string($_POST['hear']);
  $message    = mysql_real_escape_string($_POST['message']);


  $db_server = mysql_connect($db_hostname, $db_username, $db_password)


  // Check if is Duplicates
  $query_usercheck = " select * from `test` where Name='$name' and Email='$email' and Phone='$phone' and Subject='$subject' and Message='$message' "; //matching all fields
  $usercheck = mysql_query($query_usercheck) or die(mysql_error());
  $row_usercheck = mysql_fetch_assoc($usercheck);
  $totalRows_usercheck = mysql_num_rows($usercheck);

  if ( $totalRows_usercheck > 0 ) {
        $duplicate = 'Yes';
  } else {
        $duplicate = 'No';
        //adding application data to MySql database
        $add = mysql_query("INSERT INTO `test` (`Date`, `Day`, `Time`, `Name`, `Email`, `Phone`, `Subject`, `From`, `Message`)
        VALUES ('$date','$day','$time','$name','$email','$phone','$subject','$hear','$message')");
  }

// close mysql
mysql_close();
Mazen
  • 171
  • 4
  • 14
  • 2
    Stop using the **deprecated and as of PHP7 removed** mysql_* functions. Migrate to PDO and start using Prepared Statements. – Charlotte Dunois Apr 06 '16 at 12:11
  • 1
    it probably needs a connection for it, it can happen and place your connection first. Edit: Yeah, I said that ;-) – Funk Forty Niner Apr 06 '16 at 12:12
  • whe I use `$message = $_POST['message']` everything goes fine and all strings in my MySql table are filled in – Mazen Apr 06 '16 at 12:14
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Jay Blanchard Apr 06 '16 at 12:42
  • Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Apr 06 '16 at 12:42

2 Answers2

4

The problem is that you connect to the database after you do mysql_real_escape_string. Please move your connecting to the database before escaping your variables.

Even better, get rid of the deprecated mysql_* functions (there are even gone in PHP7)! Use mysqli or even better: use PDO with prepared statements as even mysql_real_escape_string is not safe.

Community
  • 1
  • 1
Laurens
  • 2,596
  • 11
  • 21
2

mysql_real_escape_string requires an active database connection to do its job. You have not established a connection at the point of calling it.

deceze
  • 510,633
  • 85
  • 743
  • 889