I have a form which allows a backend manager to enter up to 3 email addresses into a simple mySQL table (which has just 2 fields- ID, which is an auto-incrementing primary key, and the Email address field, just a Varchar)
The problem is that as it stands, if they enter just one email address and leave the other two form fields empty, empty values get inserted as new records in the table.
This is the script:
if($_POST['addnewemail'])
{
// Grab the data from the first Add a New Email form and assign to variables
$emailaddress = $_POST['_EmailAddress'];
$emailaddress2 = $_POST['_EmailAddress2'];
$emailaddress3 = $_POST['_EmailAddress3'];
// Build SQL Query
$query = "INSERT INTO emailcontacts (Email) VALUES ('$emailaddress'), ('$emailaddress2'), ('$emailaddress3')"; // specify the table and field names for the SQL query
if($result = mysql_query($query))
{
//go to the new member confirmation page
header('location: admin_confirmed.php');
exit;
}
else
{
echo "ERROR: ".mysql_error();
}
I tried setting different queries based on whether or not the various variables were empty, using if empty and if !empty, but that didn’t work.
What I want is for it to just enter new records for when the various form fields and coresponding variables have actual values.
I can’t really force the user to enter three new email addresses each time as they may not have that many to add.
Well, first off you don’t have any checks in there to verify whether the field is empty or not so it’s going to insert 3 records because that’s what your query is telling it to do.
something like this would help with that (syntax might not be 100%)
if($_POST['addnewemail'])
{
$emailaddress = array();
// Grab the data from the first Add a New Email form and assign to variables
$emailaddress[] = mysql_real_escape_string($_POST['_EmailAddress']);
$emailaddress[] = mysql_real_escape_string$_POST['_EmailAddress2']);
$emailaddress[] = mysql_real_escape_string$_POST['_EmailAddress3']);
// Build SQL Query
foreach($emailaddress as $email)
{
if(strlen(trim($email)) > 0)
{
$query = "INSERT INTO emailcontacts (Email) VALUES ('$email)"; // specify the table and field names for the SQL query
if($result = mysql_query($query))
{
continue;
}
else
{
echo "ERROR: ".mysql_error();
exit;
}
unset($query);
}
}
header('location: admin_confirmed.php');
exit;
A few things to note.
You don’t have any type of input check going on. Your script is wide open for SQL injections. I’ve added mysql_real_escape_string to the variables to escape any funny business.
You can use an array in your form. This will allow you to not have to individually name each input as _Emailaddress1, 2 3 etc.