Problem with PHP script allowing empty strings to be inserted into mySQL table

I have a form which allows a backend manager to enter up to 3 email addresses into a simple mySQL table (which has just 2 fields- ID, which is an auto-incrementing primary key, and the Email address field, just a Varchar)

The problem is that as it stands, if they enter just one email address and leave the other two form fields empty, empty values get inserted as new records in the table.

This is the script:


if($_POST['addnewemail'])
{
  // Grab the data from the first Add a New Email form and assign to variables
  $emailaddress = $_POST['_EmailAddress'];
  $emailaddress2 = $_POST['_EmailAddress2'];
  $emailaddress3 = $_POST['_EmailAddress3'];

// Build SQL Query


$query = "INSERT INTO emailcontacts (Email) VALUES ('$emailaddress'), ('$emailaddress2'), ('$emailaddress3')"; // specify the table and field names for the SQL query

if($result = mysql_query($query))
{
//go to the new member confirmation page
		header('location: admin_confirmed.php');
		exit;
}
else
{
echo "ERROR: ".mysql_error();
}

I tried setting different queries based on whether or not the various variables were empty, using if empty and if !empty, but that didn’t work.

What I want is for it to just enter new records for when the various form fields and coresponding variables have actual values.

I can’t really force the user to enter three new email addresses each time as they may not have that many to add.

Any ideas?

Well, first off you don’t have any checks in there to verify whether the field is empty or not so it’s going to insert 3 records because that’s what your query is telling it to do.

something like this would help with that (syntax might not be 100%)



if($_POST['addnewemail']) 
{ 
   $emailaddress = array();

  // Grab the data from the first Add a New Email form and assign to variables 
  $emailaddress[] = mysql_real_escape_string($_POST['_EmailAddress']); 
  $emailaddress[] =  mysql_real_escape_string$_POST['_EmailAddress2']); 
  $emailaddress[] =  mysql_real_escape_string$_POST['_EmailAddress3']); 

// Build SQL Query  
foreach($emailaddress as $email)
{

if(strlen(trim($email)) > 0)
{
    $query = "INSERT INTO emailcontacts (Email) VALUES ('$email)"; // specify the table and field names for the SQL query 

   if($result = mysql_query($query))  
   {   
      continue;
    }
    else
   {
      echo "ERROR: ".mysql_error();  
      exit;  
   }

   unset($query);
}
}

header('location: admin_confirmed.php'); 
exit; 


A few things to note.

  1. You don’t have any type of input check going on. Your script is wide open for SQL injections. I’ve added mysql_real_escape_string to the variables to escape any funny business.
  2. You can use an array in your form. This will allow you to not have to individually name each input as _Emailaddress1, 2 3 etc.

<input type='text' name='emailaddress[]' value=''>

  1. You can do checking on the form using jquery to not allow a user to submit until all fields are completed.

hope this helps

Thanks for these details. I’ll give it a go and see how I get on.