1

When user clicks on the Save, check whether the data is successfully inserted record to the table, and display a proper message accordingly. If forms are empty then the error message should be shown and database should not have any record.

//SAVE

if (isset($_POST['SAVE'])) {
    $Name = $_POST['name'];
    $City = $_POST['city'];
    $query = "Insert Into Info Values('$Name','$City')";
    $result = mysqli_query($con, $query) or die ("query is failed" . mysqli_error($con));
    $Name = '';
    $City = '';
    if(mysqli_affected_rows($con)>0) {
        echo "record is saved";
    }else {
        echo "record is not saved";
    }

I can only do validation through php. I am not sure if I am doing this right. So far I can get the "record is saved" message on my form, but I cannot get the latter if the form are empty. It just make an empty record in my database.

Improve this question
8
  • 1
    you need to be using prepared statements, either via mysqli or PDO. Commented Oct 29, 2018 at 1:06
  • You could use !empty instead of isset, and check all three fields. Commented Oct 29, 2018 at 1:11
  • why not check the values too using !empty and isset inside your php Commented Oct 29, 2018 at 1:45
  • using !empty still adds the empty entry to my table Commented Oct 29, 2018 at 1:45
  • @Atheya empty like spaces? Commented Oct 29, 2018 at 1:46

2 Answers 2

Reset to default
1

Untested Code:

if (!isset($_POST['SAVE'], $_POST['name'], $_POST['city'])) {  // avoid Notices
    echo "Missing required submission data";
} elseif (!strlen(trim($_POST['name']))) {  // validate however you wish
    echo "Name data is not valid";  // explain however you wish
} elseif (!strlen(trim($_POST['city']))) {  // validate however you wish
    echo "City data is not valid";  // explain however you wish
} elseif (!$con = new mysqli("localhost", "root", "", "db")) {  // declare and check for a falsey value
    echo "Connection Failure"; // $con->connect_error <-- never show actual error details to public
} elseif (!$stmt = $con->prepare("INSERT INTO Info VALUES (?,?)")) {
    echo "Error @ prepare"; // $con->error;  // don't show to public
} elseif (!$stmt->bind_param("ss", $_POST['name'], $_POST['city'])) {
    echo "Error @ bind";  // $stmt->error;  // don't show to public
} elseif (!$stmt->execute()) {
    echo "Error @ execute";  // $stmt->error;  // don't show to public
} else {
    echo "Insert Successful"; 
}

The validation conditions on the submission data ensure that the values are not empty and they are not completely comprised of whitespace characters. If you wish to refine the validation requirement further, just update the conditions.

If you want to simply ensure that $_POST['name'] and $_POST['city'] are not empty, you can replace the first three conditionals with 

if (empty($_POST['SAVE']) || empty($_POST['name']) || empty($_POST['city'])) {
    echo "Submission data is missing/invalid";
}...

If you don't use a prepared statement, then name values like Paul O'Malley will break your query. Worse, if someone wants to try to run some injection attacks, your query is vulnerable.

Checking affected_rows() is unnecessary. If there is no error message from the query execution, the INSERT query was a success.

The above suggestions are all best practices which I urge you to adopt.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Checking isset($_POST['SAVE']) only tells you if "SAVE" is set. It does not tell you if the fields have values.

To do the validation in PHP, use something like the following:

if (isset($_POST['SAVE'])) {
    $Name = $_POST['name'];
    $City = $_POST['city'];
    if ($Name && $City)
    {
       //...
       //code to insert data into the database goes here
       //...

       if(mysqli_affected_rows($con)>0) {
          echo "record is saved";
       }else {
          echo "record is not saved (error saving)";
       }
    } else {
       echo "record is not saved (input was empty)";
    }
}

The key being the if ($Name && $City) check.

Alternately, if you want to rely on mysql to reject the insert on blank values, then make sure the fields in the mySql table are not nullable and then change this part of your code: (but this would be moving the validation to MySql)

$Name = $_POST['name']?$_POST['name']:null;
$City = $_POST['city']?$_POST['city']:null;
Improve this answer

6 Comments

Can't wait to see the explanation from the down voter. OP says he wants to do validation in PHP. This is the way to do that.
@mickmackusa OP said "I can only do vaildation through php." Further, the question has nothing to do with security. I did not write any queries in my answer. I did not show the world anything about writing queries. I used the OPs code. All i did was add an if statement to check that there was a value in Name and City. This answered the OPs question exactly.
@EvandelaCruz thank you very much. I am a beginner at php and this was confusing me.
@mickmackusa The bad query is irrelevant. Using prepared statements is irrelevant. On SO we answer the question. We don't make a bunch of assumptions.
@mickmackusa OK there you go. I'll look forward to your up vote
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.