skip to Main Content

I have few input types on a form and a submit button as following:

<form id="register_form" method="post" role="form" action="">
    <input autofocus="" id="firstname" name"firstname" placeholder="First Name" type="text" required />
    <textarea id="Address" name="Adress" placeholder="No Address" type="text" rows="3" cols="30"></textarea>
    <select id="country" name="country" required>
            <option selected>Choose</option>
            <option value="10">Germany</option>
            <option value="11">Poland</option>
            <option value="12">United Kingdom</option>
    </select>
    <button type="submit">Submit My New Entry</button>
</form>  

Also i have a PHP code for submitting my data to a SQLite database:

<?php
try {
    //open the database
    $db = new PDO('sqlite:db/users.db');

    $firstname = $_POST["firstname"]; 
    $Address = $_POST["Address"];
    $country = $_POST["country"];
    
    //Insert record  
    $db->exec("INSERT INTO details 
                        (firstname, Address, country) 
                VALUES ('$firstname', '$Address', '$country')");

    $db = NULL;
} catch(PDOException $e) {
    print 'Exception : ' .$e->getMessage();
}
?>

My problem is that every time i refresh the page the script cause to register a new entry into my databse with empty fields, even if some input fields are marked as required or the databse table is set to rollback on NULL value (both are ignored).
How can i avoid this?

PS. required works only if i press the submit button.

2

Answers


  1. Your PHP script contains both the PHP and HTML (the form), so if you load this script, the PHP script will be triggered immediately, which will insert a blank record

    (1) So, you should slightly amend the page so that only if there is form submission by POST (when someone submits the form), then to do the PHP part, by adding say :

    if (isset($_POST["firstname"])){
    // the PHP codes
    }
    

    (2) There is a typo in your HTML form, name="Adress" should be name="Address"

    (3) Please use parameterized prepared statement in your PHP insert query to avoid SQL injection attacks

    So the code is:

    <?php
    
    if (isset($_POST["firstname"])){
    
    try {
        //open the database
        $pdo = new PDO('sqlite:db/users.db');
    
        $firstname = $_POST["firstname"]; 
        $Address = $_POST["Address"];
        $country = $_POST["country"];
        
    $data = [
        'firstname' => $firstname,
        'Address' => $Adddress,
        'country' => $country,
    ];
    
    $sql="INSERT INTO details (firstname, Address, country) VALUES (:firstname, :Address, :country)";
    
    $stmt= $pdo->prepare($sql);
    $stmt->execute($data);
    
    $pdo = NULL;
    } catch(PDOException $e) {
        print 'Exception : ' .$e->getMessage();
    }}
    ?>
    
    <form id="register_form" method="post" role="form" action="#">
    <table border=0><tr><td>
    First Name: 
    <td>
    <input autofocus="" id="firstname" name="firstname" placeholder="First Name" type="text" required />
    <tr><td>
    Address: 
    <td><textarea id="Address" name="Address" placeholder="No Address" type="text" rows="3" cols="30"></textarea>
    <tr><td>
    Country: <td>
    <select id="country" name="country" required>
                <option selected>Choose</option>
                <option value="10">Germany</option>
                <option value="11">Poland</option>
                <option value="12">United Kingdom</option>
    </select>
    <tr><td><button type="submit">Submit My New Entry</button>
    </form>  
    
    Login or Signup to reply.
  2. You just need to block the code from running.

    This code, checks for the POST data and checks so there is content.
    Then runs the database processing.

    PHP

    <?php
    function processData()
    {
      try
      {
        list($firstname, $address, $country) = $_POST;
        $db = new PDO('sqlite:db/users.db');
        $db->prepare("INSERT INTO details (firstname, address, country) VALUES (:firstname, :address, :country)");
        $db->bindValue(":address", $address, SQLITE3_TEXT);
        $db->bindValue(":country", $country, SQLITE3_TEXT);
        $db->bindValue(":firstname", $firstname, SQLITE3_TEXT);
        $db->execute();
      }
      catch (PDOException $e)
      {
        printf("Exception : %s", $e->getMessage());
      }
    }
    if (
      (isset($_POST["firstname"]) && !empty($_POST["firstname"]))
      && (isset($_POST["address"]) && !empty($_POST["address"]))
      && (isset($_POST["country"]) && !empty($_POST["country"]))
    )
    {
      processData();
    }
    ?>
    

    HTML:

    <form
      action=""
      id="register_form"
      method="post"
      role="form"
    >
      <input
        autofocus
        id="firstname"
        name"firstname"
        placeholder="First Name"
        type="text"
        required
      />
      <textarea
        id="address"
        name="address"
        placeholder="No address"
        type="text"
        rows="3"
        cols="30"
      ></textarea>
      <select
        id="country"
        name="country"
        required
      >
        <option disabled selected>Choose</option>
        <option value="10">Germany</option>
        <option value="11">Poland</option>
        <option value="12">United Kingdom</option>
      </select>
      <button type="submit">Submit My New Entry</button>
    </form>
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search