If (isset($_POST ['btnsubmit'])) { not working

multichild · May 12, 2011, 8:31am

I have an enquiry form, and on submit the info gets inserted into the database.

But, when I click the submit button, it doesnt seem to recognise the isset function so that the data gets inserted.

Here is all the code:


if (isset($_POST ['btnsubmit'])) {
// CODE FOR INSERTING DATA
$fname=$_POST['txtfname'];
$lname=$_POST['txtlname'];
$company=$_POST['txtcompany'];
$address=$_POST['txtaddress'];
$pcode=$_POST['txtpcode'];
$email=$_POST['txtemail'];
$tel==$_POST['txttel'];
$fax==$_POST['txtfax'];		
			
mysql_query("insert into Register(FirstName,LastName,Company,Address,PostCode,Email,Tel,Fax) values('$fname','$lname','$company','$address','$pcode','$email','$tel','$fax')") or die ();
$flag=1;
$conf="Insert Data Successfully ";
}

And here is the form:


<form id="ajax-contact-form" method="post" name="form1" action="register.php?index=<?=$index?>" >
<p><input class="required inpt" type="hidden" name="to" value="" /></p>
<p><label>First Name :</label>
<input class="required inpt" type="text" name="txtfname" value="" />
</p>
<p><label>Last Name :</label>
<input class="required inpt" type="text" name="txtlname" value="" />
</p>
<label>Company :</label>
<input class="required inpt" type="text" name="txtcompany" value="" />
</p>
<label>Address :</label>
<textarea name="txtaddress" cols="3" rows=""></textarea>
</p>
<p><label>Post Code :</label>
<input class="required inpt" type="text" name="txtpcode" value="" />
</p>
<p><label>Email address :</label>
<input class="required inpt" type="text" name="txtemail" value="" />
</p>
<p>			
<p>
<p><label>Tel :</label>
<input class="required inpt" type="text" name="txttel" value="" />
</p>
<p><label>Fax :</label>
<input class="required inpt" type="text" name="txtfax" value="" />
</p>
<p>			
<p><label id="load"></label>
<input name="btnsubmit" type="image" class="submitbutton" src="images/submitbutton.png" value="Submit"/>
</p>
</form>
</fieldset>

I know its the isset bit, because when I take it away, fill in the form and click submit to refersh the page, the info gets uploaded to the database. But obviously I need it check first that the button has been clicked, rather than the page refreshed.

Cheers

logic_earth · May 12, 2011, 8:33am

Do not check for a button. Check for a required field.

multichild · May 12, 2011, 8:54am

Hi,

Do you mean something like this.


if (isset($_POST ['btnsubmit'])) {
if($_POST['txtfname']=="")
{
$Err1="blank field";
} else {
// CODE FOR INSERTING DATA
$fname=$_POST['txtfname'];
$lname=$_POST['txtlname'];
$company=$_POST['txtcompany'];
$address=$_POST['txtaddress'];
$pcode=$_POST['txtpcode'];
$email=$_POST['txtemail'];
$tel==$_POST['txttel'];
$fax==$_POST['txtfax'];		
			
mysql_query("insert into Register(FirstName,LastName,Company,Address,PostCode,Email,Tel,Fax) values('$fname','$lname','$company','$address','$pcode','$email','$tel','$fax')") or die ();
$flag=1;
$conf="Insert Data Successfully ";
}
}

But it doesnt work.

DarthGuido · May 12, 2011, 9:14am

No, he means


if (isset($_POST['txtfname'])) { 
  // CODE FOR INSERTING DATA 
  $fname=$_POST['txtfname']; 
  $lname=$_POST['txtlname'];  
  $company=$_POST['txtcompany']; 
  $address=$_POST['txtaddress']; 
  $pcode=$_POST['txtpcode']; 
  $email=$_POST['txtemail']; 
  $tel=$_POST['txttel']; 
  $fax=$_POST['txtfax'];                      
  mysql_query("insert into Register(FirstName,LastName,Company,Address,PostCode,Email,Tel,Fax) values('$fname','$lname','$company','$address','$pcode','$email','$tel','$fax')") or die (); 
  $flag=1; 
  $conf="Insert Data Successfully "; 
}

By the way, you had some == instead of = in that part of the code ($tel==$_POST[‘txttel’]; ).
And you have to sanitize that user input before using it in a query (mysql_real_escape_string).
And you might want to put some meaningful message in the or die(), for example


or die('Insert error ' . mysql_error());

tangoforce · May 12, 2011, 9:17am

Never rely on checking for a button because Internet Explorer has a bug still outstanding from years ago where it doesn’t bother to submit the button name and value.

multichild · May 12, 2011, 9:32am

Right OK, ye I got you, and thank you it worked.

I’m trying to pick my way through a book learning PHP, and so if you could elaborate a little further for me on the following sentence, that would be great.

And you have to sanitize that user input before using it in a query (mysql_real_escape_string).

Cheers

SpikeZ · May 12, 2011, 9:37am

If you put user submitted data straight into your database then arbitrary commands ‘could’ be run.

If you read this very interesting article, SQL Injection Attacks by Example it gives some very simple and easy examples of SQL injection.

multichild · May 12, 2011, 9:39am

What I have noticed now, is that when I click submit and I havent entered any details into the form, it creates an entry in the database with no info in any of the fields.

Do I need to create a check system is it, to check that all the fields are filled before uploading.

Cheers

tangoforce · May 12, 2011, 9:41am

Basically a user can input text into your text box which can be dangerous hence you have to use mysql_real_escape_string() on that text before you put it into an SQL string.

I can’t go into details at the mo (busy) but take a look on php.net for the function and have a read - it will show you a few things.

multichild · May 12, 2011, 9:44am

Thank you, will do…

I’m wondering now why I picked that PHP book up.

It’s a minefield of info to get through.

Thanks all anyway

DarthGuido · May 12, 2011, 9:46am

The problem with user input (that is anything in $_GET and $_POST) is that you don’t know where it comes from, and what it contains. Even if you have a dropdown box in your form, a malicious user could easily send values that you didn’t put in the dropdown.

So, before using these values in a query, you have to sanitize them to prevent mysql injection (google for that if you want to know more about it).

The most basic sanitization is:

cast numeric values with (int)
put string values through mysql_real_escape_string()

where “string values” are all those values that you put between quotes in the query.

In the case of your insert query, all values are string values, so you should do something like this (note how I formatted the query to make it more readable, and how I changed the code a bit to get a meaningful message in case of any errors in the query) :


$fname = mysql_real_escape_string($_POST['txtfname']); 
$lname = mysql_real_escape_string($_POST['txtlname']); 
$company = mysql_real_escape_string($_POST['txtcompany']); 
$address = mysql_real_escape_string($_POST['txtaddress']); 
$pcode = mysql_real_escape_string($_POST['txtpcode']); 
$email = mysql_real_escape_string($_POST['txtemail']); 
$tel = mysql_real_escape_string($_POST['txttel']); 
$fax = mysql_real_escape_string($_POST['txtfax']);         
$query = "
  INSERT INTO Register 
    (FirstName, LastName, Company, Address, PostCode, Email, Tel, Fax) 
  VALUES
    ('$fname', '$lname', '$company', '$address', '$pcode', '$email', '$tel', '$fax'
";
mysql_query($query) or die ("insert error : " . mysql_error() . " in query $query");

Of course, before inserting in the database, you might want to check that all compulsory fields have a value, and maybe even that the value is valid, for example the email field has to contain a valid email address. But that’s the next step.

multichild · May 12, 2011, 10:17am

Hi Guido,

Ye thank you for that, its great to be able to get help like this when your starting out.

I think my next step is now to check that the fields have input, and also check that it is a valid email address.

Is this possible in one function, and i suppose if any field is empty you dont want the form being uploaded and instead the empty fields are highlighted.

Will have a look around, but if you have a quick link to something that would be great.

Cheers

Lee

multichild · May 12, 2011, 10:47am

I found a nice script that make sense to me.

This is the function:


function check_input($data, $problem='')
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        die($problem);
    }
    return $data;
}

and this is one of the lines of code:


$yourname = check_input($_POST['yourname'],"Enter your name!");

But to get this I would have to take out your mysql_real_escape_string and replace it with the function name check_input.

Could you advise if this is a good move, and if that function offers what you wanted to do with mysql_real_escape_string.

I got it from this site just for interest; http://myphpform.com/required-optional-fields.php

Ta

tangoforce · May 12, 2011, 6:02pm

No it does the total opposite actually. It converts the string so its prime for being displayed in a web page and has absolutely no database protection at all.

You might notice also that it actually strips slashes from the input - which is exactly what mysql_real_escape_string puts in.

If we had a special function that did multiple things for security we would of told you and in this case we did- mysql_real_escape_string.

You don’t have to take our advice but it would help you more if you did.

Topic		Replies	Views
If (isset($_POST['submit']) Not Working Correctly PHP	7	26337	October 8, 2014
Won't Insert to Database PHP	9	1086	October 8, 2014
Falling to insert into a MySQL database PHP	9	2070	June 3, 2018
Why isn't this working PHP	11	718	February 22, 2017
Does not post PHP	5	547	May 28, 2011

If (isset($_POST ['btnsubmit'])) { not working

Related topics