Prevent mysql query without input

Question

I have a piece of code which inserts user's input into a database:

Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("DB status: connection failed: " . $conn->connect_error);
} else {
    echo "DB status: connected";
}
?>
<html>
    <h1>Add data</h1>
    <form method="post">
        <p>Name: <input type="text" name="name"></p>
        <p>Goals scored in:</p>
        <p>14/15 <input type="text" name="14"></p>
        <p>15/16 <input type="text" name="15"></p>
        <p>16/17 <input type="text" name="16"></p>
        <p>17/18 <input type="text" name="17"></p>
        <button type="submit" name="save">save</button>
    </form>
    <?php
$sql = "INSERT INTO `goals` (`Name`, `14/15`, `15/16`, `16/17`, `17/18`) VALUES ('".$_POST["name"]."', '".$_POST["14"]."', '".$_POST["15"]."', '".$_POST["16"]."', '".$_POST["17"]."')";

$result = mysqli_query($conn,$sql);

?>

The problem is that when I load the page for the first time, it already sends 0's to the database. How can I prevent this from happening?

Thanks a lot for helping!

**WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. — tadman, Oct 11 '18 at 23:30
Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. — tadman, Oct 11 '18 at 23:30
The primary reason is because you don't use any checking to see if the post is submitted using `isset()` or `empty()`. — Rasclatt, Oct 11 '18 at 23:30
A schema like this is a pretty clear violation of the [Zero, One or Infinity Rule](http://en.wikipedia.org/wiki/Zero_one_infinity_rule) of [database normalization](http://en.wikipedia.org/wiki/Database_normalization). If possible try and restructure this into a one-to-many relational structure as that will make both writing and querying this data considerably easier. — tadman, Oct 11 '18 at 23:31

score 0 · Answer 1 · answered Oct 11 '18 at 23:12

0

add an action to your form and use that to send the sql query. You should probably also be using form validation requiring some fields like name to be filled out.

        <p>Name: <input type="text" name="name" required></p>

Calling a particular PHP function on form submit

answered Oct 11 '18 at 23:12

1Bladesforhire

360
1
10

2

While this is good for the client component, you also need to do server side validation. – tadman Oct 11 '18 at 23:30

score 0 · Answer 2 · edited Oct 12 '18 at 03:44

0

Add this piece of code at the beginning to fix the issue:

if (isset($_POST['submit'])) 
{

}

edited Oct 12 '18 at 03:44

Marcus

5,772
8
35
60

answered Oct 11 '18 at 23:56

Prevent mysql query without input

2 Answers2