PHP Form upload to MySQL Database

Question

PHP beginner working from a tutorial. I'm trying to do a simple upload from a PHP form to a MySQL database. The form uploads correctly, but every time the page refreshes, it repeats the previous upload, creating duplicate entries. You can see my working page here .

You can see that I'm trying to get the comment "Thank you! Product Added!" to spit out above the table upon submission, but I'll admit that I'm confused as to exactly what is happening when I hit "Submit"...right now it always shows the confirmation message! I've included the PHP code for the form below.

Thanks in advance!

Mike

<div id="form">

<h1 class="green">UPLOAD TO TABLE 'manufacturer'</h1>


<?php

$con = mysql_connect($host,$user,$pass);
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("thenally_productdump", $con);

$sql="INSERT INTO manufacturer (manu_name, manu_product_type, manu_product_description, manu_website)
VALUES
('$_POST[manufacturer]','$_POST[product]','$_POST[description]','$_POST[website]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "Thank you! Product Added!";

mysql_close($con);

?> 

<form action="" method="post">
<table>
    <tr>
    <td class="form-table-left"><b>Manufacturer: </b> </td>
    <td class="form-table-right"><input type="text" name="manufacturer" size=50></td>
    </tr>

    <tr>
    <td class="form-table-left"><b>Product Type:</b></td>
    <td class="form-table-right"><input type="text" name="product" size=50></td>
    </tr>

    <tr>
    <td class="form-table-left"><b>Product Description: </b></td>
    <td class="form-table-right"><textarea name="description" rows=5 cols=40></textarea></td>
    </tr>

    <tr>
    <td class="form-table-left"><b>Manufacturer Website: </b></td>
    <td class="form-table-right"><input type="text" name="website" value="http://" size=50></td>
    </tr>

    <tr>
    <td class="submit"><input type="submit" name="submit" value="Add Product !"></td>
    </tr>

    </table>
    </form>

</div>

Answer 1

You haven't checked if a POST has actually taken place. That means your form handling code is firing every time the page is loaded, even if no form has been submitted. Basic all-in-one form handling in PHP has the following structure:

<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  ... a post has taken place, process the form
}

... display the form/errors/etc....

And as stated in Brad's comment, you're WIDE OPEN to sql injection attacks. Before you do anything that places your code into a public-facing website, you'd better learn secure coding practices, or your site will go down in flames very quickly.

Answer 2

Mike - everything in the php block will execute whenever your page is loaded. So if you look at the echo line you'll notice that it always will execute and print out the success text. You need to do several things:

1. Test your input to see if the form has been submitted properly. This is where you'd test to make sure all your required fields have content. If they do not, then you would show the form again. If they are right, then you show the success message. You could simply test the input using strlen to see if the variables have been populated with something of length >0. Or you could use isset().

2. You really need to think about security right away. I know you're just learning with this tutorial example, but it is very easy for someone to do an injection attack on your database if you simply insert the values as you've done. You need to look at the man page for mysql_real_escape_string.

Answer 3

add this before the insert to the DB

if(isset($_POST['submit'])){
//then do the insert 
}

not saying about the security....