Home/ Questions/Q 6342913
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T20:20:00+00:00

I’m trying to validate my form before inserting into database with this code, but

  • 0

I’m trying to validate my form before inserting into database with this code, but I keeps printin ‘You missed a value. I would like your help to figure out the problem.

Thanks

<?php
 $username   = mysql_real_escape_string($_POST['username']);
 $pword      = mysql_real_escape_string($_POST['passwd']);
 $fname      = mysql_real_escape_string($_POST['firstname']);
 $lname      = mysql_real_escape_string($_POST['lastname']);
 $email      = mysql_real_escape_string($_POST['email']);
 $telephone  = mysql_real_escape_string($_POST['telephone']);
 $ad1        = mysql_real_escape_string($_POST['ad1']);
 $ad2        = mysql_real_escape_string($_POST['street']);
 $ad3        = mysql_real_escape_string($_POST['town']);
 $pcode      = mysql_real_escape_string($_POST['pcode']);


 if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")

    echo 'You missed a value';  
    exit();

    $con = mysql_connect("localhost","root","");
    if (!$con)
    {
      die('Could not connect: ' . mysql_error());
    }

  mysql_select_db("people", $con);

//$description = mysql_real_escape_string($_POST[description]);
    $pword = md5($pword);
    $sql="INSERT INTO members (username, pword, fname, lname, email, telephone, ad1, ad2, ad3, pcode)
VALUES
('$username','$pword','$fname', '$lname', '$email','$telephone','$ad1','$ad2','$ad3','$pcode')";


  if (!mysql_query($sql,$con)){
   die('Error: ' . mysql_error());
   }
   echo "1 record added";

 mysql_close($con)
?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    if( $username == '' || $pword == '' || $fname == '' || $lname == '' || $email == '')

    You are assigning an empty space to the variables by doing $var = "", instead of comparing with with the comparison operators $var == '', or stricter $var === ''.

    This would be a little bit cleaner code to follow and maintain:

    function sqlEscape($string){
    return "'".mysql_real_escape_string($string)."'";
}

if(     $_POST['username']  == '' 
    ||  $_POST['passwd']    == ''
    ||  $_POST['firstname'] == '' 
    ||  $_POST['lastname']  == ''
    ||  $_POST['email']     == '')
{ 
    exit('You missed a value');
}

$con = mysql_connect('localhost', 'root', '');
if (!$con){
  die('Could not connect: ' . mysql_error());
}

mysql_select_db('people', $con);

//$description = mysql_real_escape_string($_POST[description]);
$pword = md5($_POST['passwd']);
$sql = sprintf('INSERT INTO members (username, pword, fname, lname, email, telephone, ad1, ad2, ad3, pcode) 
                VALUES(%s, %s, %s, %s, %s, %s, %s, %s, %s, %s)', 
                sqlEscape($_POST['username']),
                sqlEscape($pword),
                sqlEscape($_POST['firstname']),
                sqlEscape($_POST['lastname']),
                sqlEscape($_POST['email']),
                sqlEscape($_POST['telephone']),
                sqlEscape($_POST['ad1']),
                sqlEscape($_POST['street']),
                sqlEscape($_POST['town']),
                sqlEscape($_POST['pcode']));

if (!mysql_query($sql,$con)){
    die('Error: ' . mysql_error());
}

echo '1 record added';

mysql_close($con)

    I added in a function (sqlEscape) to run all the mysql_real_escape_string, just to make the escapes a piece of cake. Notice that I am calling this function after the MySQL connection has been established, because mysql_real_escape_string will NOT work without a connection.

    • 0