PHP sending blank information to the database

Question

I am using a Unity form in conjunction with PHP to send data to a database, I can successfully enter information in and it reaches the database but the problem is it also sends the data if the fields are empty.

I am trying to prevent this using the isset method but it doesn't appear to be working. Can somebody double check this for me?

Image of data reaching the database

Image of unity form

<?php

    if(!isset($_POST['usernamePost'], $_POST['passwordPost'], $_POST['emailPost']))
    {
        echo "This is not working";
    }
    else
    {
    //Enter the data into the database
    $username = filter_var($_POST['usernamePost'], FILTER_SANITIZE_STRING);
    $password = filter_var($_POST['passwordPost'], FILTER_SANITIZE_STRING);
    $email = filter_var($_POST['emailPost'], FILTER_SANITIZE_STRING);

    //variable for connection
    $servername = "localhost";
    $server_username = "root";
    $server_password = "";
    $dbName = "ontrigger_game";

        try
        {
            //connection to the database
            $dbhandle = mysqli_connect($servername, $server_username, $server_password) 
              or die("Unable to connect to MySQL");
            echo "Connected to MySQL<br>";

            //select a database to work with
            $selected = mysqli_select_db($dbhandle, $dbName)
                    or die("Could not select database");

            $sql = "INSERT INTO users (username, password, email)
                VALUES ('".$username."','".$password."','".$email."')";
            if(!mysqli_query($dbhandle, $sql))
            {
              die('Error: ' . mysqli_error());
            }
            echo "1 record added";

            //close the connection
            mysqli_close($dbhandle);

        } 
        catch (Exception $ex) 
        {

        }
    }
?>

**Never** store plain text passwords. Instead use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php). If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). — Alex Howansky, Sep 06 '17 at 13:39
`FILTER_SANITIZE_STRING` does not protect against [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Sep 06 '17 at 13:40

score 2 · Accepted Answer · answered Sep 06 '17 at 13:03

You should also check if its empty by using the empty() method

if (!isset($_POST['usernamePost']) && empty($_POST['usernamePost'] )) {

// error message here

} else {

// What you want to do if not empty and is set.

}

Note: Use the && operator instead of comma's

PHP sending blank information to the database

1 Answers1