php - Empty fields can get inserted into my database -


i have following code. try use submit button insert code database, every time use , refresh browser, empty fields inserted database.

<?php  $servername = "localhost"; $username = "root"; $password = "";  //create connection $cn = new mysqli($servername, $username, $password, "milege");  //check connection if ($cn->connect_error) {     echo "connection failed!". $cn->connect_error; }  // once button clicked if (isset($_post['submitform'])) {     //the values in boxes     $name = $_post['fname'];     $email = $_post['email'];     $password = $_post['password'];     $confpass = $_post['confpass'];     $interest = $_post['interest'];     $info = $_post['info'];      //echo "connection successfully";     //insert table     $sql = "insert miltb(name, email, password, interest, info, productorder) values('$name', '$email', '$password', '$interest', '$info', 'none' )"; }  if ($cn->query($sql) == true) {     ?><script>alert ("inserted successfully!");</script><?php } else {     echo "error: " . $sql . "\n" . $cn->error; }  $cn->close(); ?> 

how fix it?

the reason empty fields inserted in database it's because not checking empty fields, need check empty fields first if empty fields exists not insert.

well man there's lot need learn, need learn about

1.sql injections

2.mysqli prepared or pdo prepared statements.

3.password hashing

  1. filter ,sanitize , validate user inputs

never trust input user, must treat user input if comes dangerous hacker.

then code prepared statements should :

<?php   //create connection $cn = new mysqli($servername, $username, $password, "milege");  //check connection if ($cn->connect_error) {         echo "connection failed!" . $cn->connect_error; }  $error = ""; // once button clicked if (isset($_post['submitform'])) {           // check empty fiels          if (empty($_post['fname'])) {                  echo "enter name";                 $error++;         } else {                  $name = userinput($_post['fname']);          }          if (isset($_post['email'])) {                  echo "enter email";                 $error++;         } else {                  $email = userinput($_post['email']);                  // validate email                  if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email)) {                          echo "enter valid email";                         $error++;                 }         }          if (empty($_post['password'])) {                  echo "enter password";                 $error++;         } else {                   $password = userinput($_post['password']);                  $hash = password_hash($password, passwors_default); //hash password         }          if (!empty($_post['confpass']) && $_post['confpass'] !== $_post['password']) { //password confirmation                  echo "passwords not match";                 $error++;         }          if (empty($_post['interest'])) {                  echo "enter interests";                 $error++;         } else {                  $interest = userinput($_post['interest']);         }          if (empty($_post['info'])) {                  echo "enter info";                  $error++;         } else {                  $info = userinput($_post['info']);         }           if ($error > 0) { // if have errors don't insert db                  echo "you have " . $error . " error(s) on form plz fix them";           } else { // no errors lets insert                   // prepare , bind                 $sql = $cn->prepare("insert miltb(name, email, password, interest, info) values (?, ?, ?,?,?)");                 $sql->bind_param("sssss", $name, $email, $hash, $interest, $info);                  if ($sql->execute()) {                          echo "inserted successfully!";                 } else {                           echo "could not insert ";                 }              }           $sql->close();         $cn->close();    }     function userinput($data) {           $data = trim($data);         $data = stripslashes($data);         $data = htmlspecialchars($data);         return $data;  }   ?> 

hope , learn thing or two, stand corrected i'm wrong


Comments

Popular posts from this blog

account - Script error login visual studio DefaultLogin_PCore.js -

xcode - CocoaPod Storyboard error: -