0

I'm super new to PHP and I recently tried to create a "system" that adds customers to the SQLite database and displays them in a table. Well, every time I navigate to the HTML page in order to add a new customer, the script runs itself creating empty values within the database. When I click submit after filling the values it just works properly. Below I attach my code for this specific part of the "system".

    <!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>New Customer</title>
    <style>
        form {
            display:flex;
            flex-direction:column;
            width:65%;
            max-width:75%;
            margin:0 auto;
        }
    </style>
</head>
<body>
    <form action="" method="POST">
        <h1>Insert a new customer</h1>
        <label for="id">Customer Id</label>
        <input type="text" name="id" id="id">
        <label for="name">Customer Name</label>
        <input type="text" name="name" id="name">
        <label for="age">Customer Age</label>
        <input type="number" name="age" id="age">
        <label for="address">Customer Address</label>
        <input type="text" name="address" id="address">
        <button type="submit">Submit</button>
    </form>

    <?php 
    
    class COMPANY extends SQLite3 {
        function __construct() {
            $this->open('customers.db');
        }
    }
    
    $database = new COMPANY();

    if (!$database) {
        echo $database->lastErrorMsg();
    } else {
        echo "Database accessed!\n";
    }
   
    $insert ="INSERT INTO CUSTOMERS (ID, NAME, AGE, ADDRESS) VALUES ('".$_POST["id"]."', '".$_POST["name"]."', '".$_POST["age"]."','".$_POST["address"]."');";
    
    $result = $database->exec($insert);

    if(!$result) {
        echo $database->lastErrorMsg();
    } else {
        echo "Records added successfully!\n";
    }
    $database->close();
    ?>
   
</body>
</html>
Coding_Harry
  • 45
  • 6
  • 1
    As noted in the answer you don't ever check if form is actually submitted, you execute your database logic all the same. Your code will obviously grow, so can I suggest splitting your presentation and logic into separate files right now. It's easier than refactoring the thousand lines of spaghetti you end up with, if you don't split early. Other than that, see [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Markus AO Mar 12 '22 at 15:13

2 Answers2

1

You need to use isset() and check if the form has actually posted the values. In your code, the page loads and PHP code executes without checking if the form has submitted and the blanks are inserted in the database

  if(isset($_POST['id'],isset($_POST['name'],isset($_POST['age'], isset($_POST['address']) {
 .. your code

  }

PS: this doesn't include sanitization and validation of fields, please add them as you wish

Tushar Gupta
  • 15,504
  • 1
  • 29
  • 47
0

There should be validation, values should not be empty.

Sonali
  • 31
  • 5
  • 1
    Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 12 '22 at 16:14