Insert Into using if else-if statement - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

Insert Into using if else-if statement

Amy Ra Ra Ra

12:18 am on Jul 11, 2012 (gmt 0)

10+ Year Member

<?php
$email = $_POST['email'];
$persons_name = $_POST['name'];
$phone = $_POST['phone'];
$website_address = $_POST['websiteaddress'];

$query = "INSERT INTO free_estimate_c (email, name, phone, website_address )" .
"VALUES ('$email', '$persons_name', '$phone', '$website_address')";

$dbc = mysqli_connect('hostloacation', 'username, 'password', 'databasename')
or die('Error connecting to MySQL server.')

if ((empty($email))&&(empty($name))&&(empty($phone))&&(empty($website_address))){
echo "Fill in your information and we will contact you shortly";
?>

<form action="while_statement.php" method="post">
<label for="name">Name: </label><br />
<input type="text" id="name" size="60" name="name" value="<?php echo $persons_name; ?>" />
<br />
<br />
<label for="email">Email:</label><br />
<input type="text" id="email name="email" value="<?php echo $email; ?>" />
<br />
<br />
<label for="phone">Phone:</label><br />
<input type="text" id="phone" name="phone" value="<?php echo $phone; ?>" />
<br />
<br />
<label for="websiteaddress">Web Site Address:</label><br />
<input type="text" id="websiteaddress" name="websiteaddress" value="<?php echo $website_address; ?>" />
<br />
<br />
<input type="submit" value="submit" name="submit"/>
</form>
<?php
//closing first if statment
}
//if all fields are filled in insert form info into database
else if ((!empty($persons_name))&&(!empty($email))&&(!empty($phone))&&(!empty($website_address))){
mysqli_query ($dbc, $query);
}
?>

rocknbil

3:59 pm on Jul 11, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

You're not filtering input, this is dangerous . . . anyway find out what's wrong like so.

mysqli_query ($dbc, $query) or die("cannot insert data: " . mysqli_error());

Not sure if "name" is reserved or not. Start with backticks (not quotes)

$query = "INSERT INTO free_estimate_c (`email`, `name`, `phone`, `website_address` ) VALUES ('$email', '$persons_name', '$phone', '$website_address')";

First note that concatenation is not necessary, the entire string is delimited by " "

At the very least, use the escape string functions. This does not cleanse your data, but makes it safe for database inserts. You can still get a mysql injection, but now it might actually insert. :-) Now you'll need concatenation to add the function output.

$query = "INSERT INTO free_estimate_c
(`email`, `name`, `phone`, `website_address`)
VALUES (" .
'" . mysqli_real_escape_string ($email) . "',
'" . mysqli_real_escape_string ($persons_name) . "',
'" . mysqli_real_escape_string ($phone) . "',
'" . mysqli_real_escape_string ($website_address) .
"')";

Note that this must come AFTER you open the database connection or it will error. Move it below where you open the connection.

I'd also change this:

if ((empty($email))&&(empty($name))&&(empty($phone))&&(empty($website_address))){
echo "Fill in your information and we will contact you shortly";

This means "if everything is empty." You want OR here (or the symbolic or, || ) for any required fields. If it's all fields,

if (empty($email) or empty($name) or empty($phone) or empty($website_address)){
echo "<p>Fill in your information and we will contact you shortly</p>";

You also had superfluous ()'s

echo empty($variable); // will echo true or false, 1 or 0, depending
echo (empty($variable)); // same thing, more points to encounter errors in typos

Amy Ra Ra Ra

11:20 pm on Jul 12, 2012 (gmt 0)

10+ Year Member

rocknbil it didn't work, so I did the following and it still did not work, please help me:

<?php
$email = $_POST['email'];
$persons_name = $_POST['name'];
$phone = $_POST['phone'];
$website_address = $_POST['websiteaddress'];

$dbc = mysqli_connect('host', 'username', 'password', 'databasename')
or die('Error connecting to MySQL server.');

/*
Rocknbill I added the backwards single quote as you said.
I didn't understand why you put in the single and double quotes that you did ealier so I did the following, shoudn't this work just fine?
*/

$query = "INSERT INTO free_estimate_c (`email`, `name`, `phone`, `website_address`)" .
"VALUES ('$email', '$persons_name', '$phone', '$website_address')";

// I used or instead of and as you said to do

if (empty($email) or empty($persons_name) or empty($phone) or empty($website_address)){
echo "<p>Fill in your information</p>";
}

else if ((!empty($persons_name))&&(!empty($email))&&(!empty($phone))&&(!empty($website_address))){
mysqli_query ($query, $dbc);
}
?>

//this is my html page

<form action="while_statement.php" method="post">
Name: <br />
<input type="text" id="name" size="60" name="name" /><br /><br />
Email: <br />
<input type="text" id="email name="email" />
<br /><br />
Phone:<br />
<input type="text" id="phone" name="phone" /><br /><br />
Web Site Address:<br />
<input type="text" id="websiteaddress" name="websiteaddress" />
<br /><br /><input type="submit" value="submit" name="submit"/>
</form>

Amy Ra Ra Ra

8:05 pm on Jul 13, 2012 (gmt 0)

10+ Year Member

Ok so no one wants to reply and why is that, is that because people here are not experienced enough, I assume that's the case? I'm new here and so it sure would be nice if someone would reply to my plea and help me using layman terms.

Amy Ra Ra Ra

8:07 pm on Jul 13, 2012 (gmt 0)

10+ Year Member

rocknbill is there another way I can write this code because what you wrote did not work for me:

$query = "INSERT INTO free_estimate_c
(`email`, `name`, `phone`, `website_address`)
VALUES (" .
'" . mysqli_real_escape_string ($email) . "',
'" . mysqli_real_escape_string ($persons_name) . "',
'" . mysqli_real_escape_string ($phone) . "',
'" . mysqli_real_escape_string ($website_address) .
"')";

johnhh

10:30 pm on Jul 14, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

People here give their time for free, and come from many countries using different local keyboards.

$query = "INSERT INTO free_estimate_c (email,name,phone,website_address)
VALUES ('".mysqli_real_escape_string ($email)."','".mysqli_real_escape_string($persons_name)."','".mysqli_real_escape_string($phone)."','".mysqli_real_escape_string($website_address)."')";

all on one line.

assuming email,name,phone,website_address are your field names and they are all strings. Every string value must start with a ' and end with a ' separated by a , . The number of values must also equal the number of fields declared.

A quick look at [w3schools.com...] may help you.

Amy Ra Ra Ra

2:00 am on Jul 17, 2012 (gmt 0)

10+ Year Member

johnhh it still didn't work. This is the way it was looking when I uploaded it:

//html part
<form method="post" action="free_estimate_c.php">
<label for="name"> Name</label>
<br />
<input type="text" id="name" size="35" name="name" />
<br />
<br />
<label for="email">E-mail </label>
<br />
<input type="text" id="email" size="35" name="email" />
<br />
<br />
<label for="phone">Phone</label>
<br />
<input type="text" id="phone" size="35" name="phone" />
<br />
<br />
<label for="websiteaddress">Web Site Address (if applicable)</label>
<br />
<input type="text" id="websiteaddress" size="60" name="websiteaddress" />
<br />
<br />
<input type="submit" value="Submit Form" name="submit" />
</form>

// php part

<?php

$name = $_POST ['name'];
$email = $_POST ['email'];
$phone_number = $_POST ['phone'];
$website_address = $_POST ['websiteaddress'];

$dbc = mysqli_connect('hostresource.com', 'username', 'pass!', 'dbname')
or die('Error connecting to MySQL server.');

$query = "INSERT INTO free_estimate_c (email,name,phone,website_address)
VALUES ('".mysqli_real_escape_string ($email)."','".mysqli_real_escape_string($name)."','".mysqli_real_escape_string($phone_number)."','".mysqli_real_escape_string($website_address)."')";

$result = mysqli_query($dbc, $query)
or die('Error querying database.');

if ($result)
{
echo "Your request for an estimate has been received. We will look over your information and get in touch with you shortly. Thank you.";
}
?>

johnhh

9:39 pm on Jul 18, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

And the error message is ? View your Apache error logs to find out.

Then you do basic debug.

give $name and other variables a value

$name="test@example.com";

or echo the values to make sure there are values

echo "name=".$name;

Remove the mysqli_real_escape_string function calls and see what happens.

The php code looks OK to me, although I would give the form a name and id

<form method="post" name="inputform" id="inputform" action="free_estimate_c.php">