Form is submitting empty values to database

Question

After being advised that i MUST validate my form so that no-one could hack my database i then made some changes which were adding the mysql_real_string()

$query="INSERT INTO allymccoist (id, firstname, lastname, email, date) 
VALUES (NULL, '".$firstname."', '".$lastname."', '".$email."',   '".mysql_real_escape_string($new_date)."')";

---

$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$datepicker = mysql_real_escape_string($_POST['date']);

since doing this, nothing is being sent to firstname lastname or email although the date seems to be sending ok though

is thereanything that may be causing this that you can see from my code?

Answer 1

If you're sure that those data actually are set (var_dump your $_POST array to check that),then make sure you have a connection active before using mysql_real_escape_string() , as it would return FALSE otherwise:

A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.

So you can well be entering FALSE in every value.

$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')or die(mysql_error());
mysql_select_db('database_name', $link) or die('cannot select database '.mysql_error());

$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$datepicker = mysql_real_escape_string($_POST['date']);

You'd be better off altogether by using prepared statements , so you won't have to worry about SQL injections.

Also, I'd advice you against using NULL in your insert query for the field ID. If you're table is strcutred as I can guess, and ID is a primary key with AutoIncrement, you don't need to enter it in your query, as it would be automatically filled by the engine.

For wheter it is better to use prepared statements or mysql_real_escape_string(), check this resource mysql_real_escape_string vs prepared statements

Answer 2

The issue of missing data is likely as Damien suggests. Establish a connection, then use mysql_real_escape_string(). The connection is required in part so that mysql_real_escape_string() can take into account the current character set of the connection.

Also, mysql_real_escape_string() is perfectly safe when used in combination with the sprintf() function ( full details on sprintf ). Most important with sprintf() is setting the correct type specifier so that values get cast properly. Generally, for integers you will use %d. For floats use %f. And for string and date values use %s.

So for your program the code should look something like (note: as Damien suggests, leave id out of the query):

   /* Read form data. */
   $firstName = $_POST['firstname'];
   $lastName = $_POST['lastname'];
   $email = $_POST['email'];
   $date = $_POST['date']);

   /* Your form validation code here. */ 

   /* Your db connection code here. */

   /* Setup and run your query. */
   $query = sprintf("INSERT INTO allymccoist (firstname, lastname, email, date) 
            VALUES ('%s', '%s', '%s',   '%s')", 
            mysql_real_escape_string($firstName), 
            mysql_real_escape_string($lastName), 
            mysql_real_escape_string($email), 
            mysql_real_escape_string($date));

    $result = mysql_query($query);

    /* Check for errors with query execution. */
    if (!$result) echo("Query Error! Process aborted.");

Answer 3

for you original query ...

mysql_real_escape_string($new_date)

$datepicker = mysql_real_escape_string($_POST['date']);

$new_date = $datepicker //  !? :)

and for your injection question:

Does mysql_real_escape_string() FULLY protect against SQL injection?