[RESOLVED] Prevent Insert Data!

rioman

Help Someone!
I am brand new to php and have followed a tutorial for a form that was intended to send form data via e-mail. I have changed this code to use as a form to Insert Data into a MySql database. The form validation and error messages work great, but I cannot prevent the data from being sent to the database if it encounters the $missing array. Help would be GREATLY appreciated!

(I removed some of the form fields because my code was beyond the 1000 char limit)

Here is my code:

<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    

    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

//list expected fields
$expected = array('AcctNum', 'AcctName', 'CustFName', 'CustLName', 'CustTitle', 'SalesTerr', 'CustAddress_1', 'CustAddress_2', 'CustCity', 'CustState', 'CustZip', 'CustPhone', 'CustWebsite', 'CustEmail', 'CustNotes');
//set required fields
$required = array('AcctNum', 'AcctName', 'CustFName', 'CustLName', 'CustTitle', 'SalesTerr', 'CustAddress_1', 'CustCity', 'CustState', 'CustZip', 'CustPhone', 'CustEmail', 'CustNotes');
//create empty array for any missing fields
$missing = array();

 // process the $_POST variables
    foreach ($_POST as $key => $value) {
      // assign to temporary variable and strip whitespace if not an array
      $temp = is_array($value) ? $value : trim($value);
      // if empty and required, add to $missing array
      if (empty($temp) && in_array($key, $required)) {
        array_push($missing, $key);
        }
      // otherwise, assign to a variable of the same name as $key
      elseif (in_array($key, $expected)) {
        ${$key} = $temp;
        }
      }  

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO customers (CustomerID, CustomerAccountName, CustomerFirstName, CustomerLastName, CustomerTitle, SalesTerr, CustomerAddress1, CustomerAddress2, CustomerCity, CustomerState, CustomerZip, CustomerPhone, CustomerWebsite, CustomerEmail, CustomerNotes) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['AcctNum'], "int"),
                       GetSQLValueString($_POST['AcctName'], "text"),
                       GetSQLValueString($_POST['CustFName'], "text"),
                       GetSQLValueString($_POST['CustLName'], "text"),
                       GetSQLValueString($_POST['CustTitle'], "text"),
                       GetSQLValueString($_POST['SalesTerr'], "text"),
                       GetSQLValueString($_POST['CustAddress_1'], "text"),
                       GetSQLValueString($_POST['CustAddress_2'], "text"),
                       GetSQLValueString($_POST['CustCity'], "text"),
                       GetSQLValueString($_POST['CustState'], "text"),
                       GetSQLValueString($_POST['CustZip'], "text"),
                       GetSQLValueString($_POST['CustPhone'], "text"),
                       GetSQLValueString($_POST['CustWebsite'], "text"),
                       GetSQLValueString($_POST['CustEmail'], "text"),
                       GetSQLValueString($_POST['CustNotes'], "text"));

  mysql_select_db($database_conn_db248088246, $conn_db248088246);
  $Result1 = mysql_query($insertSQL, $conn_db248088246) or die(mysql_error());
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Customer Information</title>
<style type="text/css">
<!--
-->
</style>
<style type="text/css">
<!--
.style1 {font-family: Verdana, Arial, Helvetica, sans-serif}
.style2 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; }
.style3 {
	font-size: 9px;
	color: #FF0000;
}
-->
</style>
</head>

<body>
<table width="632" height="498" border="0">
  <tr>
    <td width="563" height="36"><div align="center" class="style2">Add Customer Account</div></td>
    <td width="59">&nbsp;</td>
  </tr>
  <tr>
    <td height="456"><form action="<?php echo $editFormAction; ?>" method="POST" name="form1" id="form1">
      <table width="532" align="center">
        <tr valign="baseline">
          <td width="524" class="style1"><label>
            <div align="right">Sales Territory<span class="style3">
              <?php
        if (isset($missing) && in_array('SalesTerr', $missing)) { ?>
                (Please enter territory id)
                <?php } ?>
            </span>
              <input name="SalesTerr" type="text" id="SalesTerr" size="32" 
              <?php if (isset($missing)) {
		  echo 'value="'.htmlentities($_POST['SalesTerr']).'"';
		  } ?>
          />
            </div>
            </label></td>
        </tr>
        <tr valign="baseline">
          <td class="style1"><label>
            <div align="right">Account Number
              <input name="AcctNum" type="text" id="AcctNum" size="32" />
            </div>
            </label></td>
        </tr>
        <tr valign="baseline">
          <td class="style1"><label>
            <div align="right">Account Name<span class="style3">
              <?php
        if (isset($missing) && in_array('AcctName', $missing)) { ?>
                (Please enter Account Name)
                <?php } ?>
            </span>
              <input name="AcctName" type="text" id="AcctName" size="32" 
                            <?php if (isset($missing)) {
		  echo 'value="'.htmlentities($_POST['AcctName']).'"';
		  } ?>
          />
            </div>
            </label></td>
        </tr>
        <tr valign="baseline">
          <td class="style1"><label>
            <div align="right">Customer First Name
              <input name="CustFName" type="text" id="CustFName" size="32" />
            </div>
            </label></td>
        </tr>
        <tr valign="baseline">
          <td class="style1"><label>
            <div align="right">Customer Last Name
              <input name="CustLName" type="text" id="CustLName" size="32" />
            </div>
            </label></td>
        </tr>
        <tr valign="baseline">
          <td class="style1"><label>
            <div align="right">Customer Title
              <input name="CustTitle" type="text" id="CustTitle" size="32" />
            </div>
            </label></td>
        </tr>
        <tr valign="baseline">
          <td class="style1"><label>
            <div align="right">Customer Address 1
              <input name="CustAddress_1" type="text" id="CustAddress_1" size="32" />
            </div>
            </label></td>
        </tr>
        <tr valign="baseline">
          <td class="style1"><label>
            <div align="right">Customer Address 2
              <input name="CustAddress_2" type="text" id="CustAddress_2" size="32" />
            </div>
            </label></td>
        </tr>
        <tr valign="baseline">
          <td class="style1"><label>
            <div align="right">Customer City
              <input name="CustCity" type="text" id="CustCity" size="32" />
            </div>
            </label></td>
        </tr>
        <tr valign="baseline">
          <td class="style1"><label>
            <div align="right">Customer State
              <input name="CustState" type="text" id="CustState" size="32" />
            </div>
            </label></td>
        </tr>
        <tr valign="baseline">
          <td class="style1"><label>
            <div align="right">Customer Zip
              <input name="CustZip" type="text" id="CustZip" size="32" />
            </div>
            </label></td>
        </tr>
        <tr valign="baseline">
          <td class="style1"><div align="right">
            <input name="submit" type="submit" id="submit" value="SUBMIT" />
          </div></td>
        </tr>
      </table>

  <input type="hidden" name="MM_insert" value="form1" />
</form></td>
<td>&nbsp;</td>
  </tr>
</table>
<p>&nbsp;</p>
</body>
</html>

HalfaBee

Change this line by adding the extra test.

if ( count($missing)>0 && (isset($POST["MM_insert"])) && ($POST["MM_insert"] == "form1")) {

rioman

HalfaBee,
Thank you for your response, I changed the code as per your suggestion, the form still inserts the data into the database after encountering the missing field.😕

bradgrafelman

I believe HalfaBee mixed up the logic; it should be count($missing) == 0 instead (think about it; you only want that if() statement to execute if there aren't any items in the $missing array).

rioman

bradgrafelman, Thank you that did the trick!

bradgrafelman

No problem. Don't forget to mark this thread resolved.