If (isset($_POST ['btnsubmit'])) { not working

I have an enquiry form, and on submit the info gets inserted into the database.

But, when I click the submit button, it doesnt seem to recognise the isset function so that the data gets inserted.

Here is all the code:


if (isset($_POST ['btnsubmit'])) {
// CODE FOR INSERTING DATA
$fname=$_POST['txtfname'];
$lname=$_POST['txtlname'];
$company=$_POST['txtcompany'];
$address=$_POST['txtaddress'];
$pcode=$_POST['txtpcode'];
$email=$_POST['txtemail'];
$tel==$_POST['txttel'];
$fax==$_POST['txtfax'];		
			
mysql_query("insert into Register(FirstName,LastName,Company,Address,PostCode,Email,Tel,Fax) values('$fname','$lname','$company','$address','$pcode','$email','$tel','$fax')") or die ();
$flag=1;
$conf="Insert Data Successfully ";
}


And here is the form:


<form id="ajax-contact-form" method="post" name="form1" action="register.php?index=<?=$index?>" >
<p><input class="required inpt" type="hidden" name="to" value="" /></p>
<p><label>First Name :</label>
<input class="required inpt" type="text" name="txtfname" value="" />
</p>
<p><label>Last Name :</label>
<input class="required inpt" type="text" name="txtlname" value="" />
</p>
<label>Company :</label>
<input class="required inpt" type="text" name="txtcompany" value="" />
</p>
<label>Address :</label>
<textarea name="txtaddress" cols="3" rows=""></textarea>
</p>
<p><label>Post Code :</label>
<input class="required inpt" type="text" name="txtpcode" value="" />
</p>
<p><label>Email address :</label>
<input class="required inpt" type="text" name="txtemail" value="" />
</p>
<p>			
<p>
<p><label>Tel :</label>
<input class="required inpt" type="text" name="txttel" value="" />
</p>
<p><label>Fax :</label>
<input class="required inpt" type="text" name="txtfax" value="" />
</p>
<p>			
<p><label id="load"></label>
<input name="btnsubmit" type="image" class="submitbutton" src="images/submitbutton.png" value="Submit"/>
</p>
</form>
</fieldset>

I know its the isset bit, because when I take it away, fill in the form and click submit to refersh the page, the info gets uploaded to the database. But obviously I need it check first that the button has been clicked, rather than the page refreshed.

Cheers

Do not check for a button. Check for a required field.

Hi,

Do you mean something like this.


if (isset($_POST ['btnsubmit'])) {
if($_POST['txtfname']=="")
{
$Err1="blank field";
} else {
// CODE FOR INSERTING DATA
$fname=$_POST['txtfname'];
$lname=$_POST['txtlname'];
$company=$_POST['txtcompany'];
$address=$_POST['txtaddress'];
$pcode=$_POST['txtpcode'];
$email=$_POST['txtemail'];
$tel==$_POST['txttel'];
$fax==$_POST['txtfax'];		
			
mysql_query("insert into Register(FirstName,LastName,Company,Address,PostCode,Email,Tel,Fax) values('$fname','$lname','$company','$address','$pcode','$email','$tel','$fax')") or die ();
$flag=1;
$conf="Insert Data Successfully ";
}
}

But it doesnt work.

No, he means


if (isset($_POST['txtfname'])) { 
  // CODE FOR INSERTING DATA 
  $fname=$_POST['txtfname']; 
  $lname=$_POST['txtlname'];  
  $company=$_POST['txtcompany']; 
  $address=$_POST['txtaddress']; 
  $pcode=$_POST['txtpcode']; 
  $email=$_POST['txtemail']; 
  $tel=$_POST['txttel']; 
  $fax=$_POST['txtfax'];                      
  mysql_query("insert into Register(FirstName,LastName,Company,Address,PostCode,Email,Tel,Fax) values('$fname','$lname','$company','$address','$pcode','$email','$tel','$fax')") or die (); 
  $flag=1; 
  $conf="Insert Data Successfully "; 
}  

By the way, you had some == instead of = in that part of the code ($tel==$_POST[‘txttel’]; ).
And you have to sanitize that user input before using it in a query (mysql_real_escape_string).
And you might want to put some meaningful message in the or die(), for example


or die('Insert error ' . mysql_error());

Never rely on checking for a button because Internet Explorer has a bug still outstanding from years ago where it doesn’t bother to submit the button name and value.

Right OK, ye I got you, and thank you it worked.

I’m trying to pick my way through a book learning PHP, and so if you could elaborate a little further for me on the following sentence, that would be great.

And you have to sanitize that user input before using it in a query (mysql_real_escape_string).

Cheers

If you put user submitted data straight into your database then arbitrary commands ‘could’ be run.

If you read this very interesting article, SQL Injection Attacks by Example it gives some very simple and easy examples of SQL injection.

What I have noticed now, is that when I click submit and I havent entered any details into the form, it creates an entry in the database with no info in any of the fields.

Do I need to create a check system is it, to check that all the fields are filled before uploading.

Cheers

Basically a user can input text into your text box which can be dangerous hence you have to use mysql_real_escape_string() on that text before you put it into an SQL string.

I can’t go into details at the mo (busy) but take a look on php.net for the function and have a read - it will show you a few things.

Thank you, will do…

I’m wondering now why I picked that PHP book up.

It’s a minefield of info to get through.

Thanks all anyway

The problem with user input (that is anything in $_GET and $_POST) is that you don’t know where it comes from, and what it contains. Even if you have a dropdown box in your form, a malicious user could easily send values that you didn’t put in the dropdown.

So, before using these values in a query, you have to sanitize them to prevent mysql injection (google for that if you want to know more about it).

The most basic sanitization is:

where “string values” are all those values that you put between quotes in the query.

In the case of your insert query, all values are string values, so you should do something like this (note how I formatted the query to make it more readable, and how I changed the code a bit to get a meaningful message in case of any errors in the query) :


$fname = mysql_real_escape_string($_POST['txtfname']); 
$lname = mysql_real_escape_string($_POST['txtlname']); 
$company = mysql_real_escape_string($_POST['txtcompany']); 
$address = mysql_real_escape_string($_POST['txtaddress']); 
$pcode = mysql_real_escape_string($_POST['txtpcode']); 
$email = mysql_real_escape_string($_POST['txtemail']); 
$tel = mysql_real_escape_string($_POST['txttel']); 
$fax = mysql_real_escape_string($_POST['txtfax']);         
$query = "
  INSERT INTO Register 
    (FirstName, LastName, Company, Address, PostCode, Email, Tel, Fax) 
  VALUES
    ('$fname', '$lname', '$company', '$address', '$pcode', '$email', '$tel', '$fax'
";
mysql_query($query) or die ("insert error : " . mysql_error() . " in query $query");

Of course, before inserting in the database, you might want to check that all compulsory fields have a value, and maybe even that the value is valid, for example the email field has to contain a valid email address. But that’s the next step.

Hi Guido,

Ye thank you for that, its great to be able to get help like this when your starting out.

I think my next step is now to check that the fields have input, and also check that it is a valid email address.

Is this possible in one function, and i suppose if any field is empty you dont want the form being uploaded and instead the empty fields are highlighted.

Will have a look around, but if you have a quick link to something that would be great.

Cheers

Lee

I found a nice script that make sense to me.

This is the function:


function check_input($data, $problem='')
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        die($problem);
    }
    return $data;
} 

and this is one of the lines of code:


$yourname = check_input($_POST['yourname'],"Enter your name!"); 

But to get this I would have to take out your mysql_real_escape_string and replace it with the function name check_input.

Could you advise if this is a good move, and if that function offers what you wanted to do with mysql_real_escape_string.

I got it from this site just for interest; http://myphpform.com/required-optional-fields.php

Ta

No it does the total opposite actually. It converts the string so its prime for being displayed in a web page and has absolutely no database protection at all.

You might notice also that it actually strips slashes from the input - which is exactly what mysql_real_escape_string puts in.

If we had a special function that did multiple things for security we would of told you and in this case we did- mysql_real_escape_string.

You don’t have to take our advice but it would help you more if you did.