php - Empty fields can get inserted into my database -
i have following code. try use submit button insert code database, every time use , refresh browser, empty fields inserted database.
<?php $servername = "localhost"; $username = "root"; $password = ""; //create connection $cn = new mysqli($servername, $username, $password, "milege"); //check connection if ($cn->connect_error) { echo "connection failed!". $cn->connect_error; } // once button clicked if (isset($_post['submitform'])) { //the values in boxes $name = $_post['fname']; $email = $_post['email']; $password = $_post['password']; $confpass = $_post['confpass']; $interest = $_post['interest']; $info = $_post['info']; //echo "connection successfully"; //insert table $sql = "insert miltb(name, email, password, interest, info, productorder) values('$name', '$email', '$password', '$interest', '$info', 'none' )"; } if ($cn->query($sql) == true) { ?><script>alert ("inserted successfully!");</script><?php } else { echo "error: " . $sql . "\n" . $cn->error; } $cn->close(); ?>
how fix it?
the reason empty fields inserted in database it's because not checking empty fields, need check empty fields first if empty fields exists not insert.
well man there's lot need learn, need learn about
2.mysqli prepared or pdo prepared statements.
never trust input user, must treat user input if comes dangerous hacker.
then code prepared statements should :
<?php //create connection $cn = new mysqli($servername, $username, $password, "milege"); //check connection if ($cn->connect_error) { echo "connection failed!" . $cn->connect_error; } $error = ""; // once button clicked if (isset($_post['submitform'])) { // check empty fiels if (empty($_post['fname'])) { echo "enter name"; $error++; } else { $name = userinput($_post['fname']); } if (isset($_post['email'])) { echo "enter email"; $error++; } else { $email = userinput($_post['email']); // validate email if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email)) { echo "enter valid email"; $error++; } } if (empty($_post['password'])) { echo "enter password"; $error++; } else { $password = userinput($_post['password']); $hash = password_hash($password, passwors_default); //hash password } if (!empty($_post['confpass']) && $_post['confpass'] !== $_post['password']) { //password confirmation echo "passwords not match"; $error++; } if (empty($_post['interest'])) { echo "enter interests"; $error++; } else { $interest = userinput($_post['interest']); } if (empty($_post['info'])) { echo "enter info"; $error++; } else { $info = userinput($_post['info']); } if ($error > 0) { // if have errors don't insert db echo "you have " . $error . " error(s) on form plz fix them"; } else { // no errors lets insert // prepare , bind $sql = $cn->prepare("insert miltb(name, email, password, interest, info) values (?, ?, ?,?,?)"); $sql->bind_param("sssss", $name, $email, $hash, $interest, $info); if ($sql->execute()) { echo "inserted successfully!"; } else { echo "could not insert "; } } $sql->close(); $cn->close(); } function userinput($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?>
hope , learn thing or two, stand corrected i'm wrong
Comments
Post a Comment