PHP form submission not adding to database


#1

For some reason when i click submit on my form the information isn’t added to the DB.

(Yes i have removed the username, password and DB information)

Any help would be appreciated.


#2

What output, if any, are you getting?

Edit: you have a typo/logic mistake in the big long line of !empty(…) conditional tests, which is an issue of this style of bespoke programming. You have far too much code, variables, and queries, causing a ‘cannot see the forest for the trees’ problem.

When you have more than about 2-3 form fields, that will all be operated on in the same/similar way, you should dynamically process them, by defining an array of the expected form fields, then loop over this defining array and use simple php logic to validate and process the data as a set, without writing out variables and logic for each possible form filed. In its simple use, you would just use this to validate ‘required’ data. You can expand the defining array to let you dynamically build the sql query statement as well, but that is a more advanced subject.

Next, your form processing code should -

  1. Detect that a post method form was submitted.
  2. Get a trimmed copy of the $_POST data. This can be done with a single statement.
  3. Validate the input data, using an array to hold each detected validation error for each input.
  4. If there are no validation errors, use the submitted form data.

You should NOT try to select data first to determine if it already exists. There’s a race condition with multiple concurrent submissions (someone hitting the submit button twice) all getting the same starting value and trying to insert the same data. You should define the email column in the database table as unique index, just attempt to insert the data, then detect if a duplicate key error occurred.

You should also not unconditionally echo database connection errors onto a web page, as this gives hackers useful information when they intentionally trigger errors (too many connections.)

To accomplish the above two items, use exceptions for errors, and in most cases let php catch the exception, where it will use its error_reporting, display_errors and log_errors settings to control what happens with the actual error information. This will directly address the second item. For the first item, you would have a try/catch block in your code, detect if the error number is for a duplicate key/index value, set up a the ‘email address is already in use’ message if it is, or re-throw the exception and let php handle it if it is not.

Lastly, the php mysqli extension is overly complicated and inconsistent, especially when dealing with prepared queries. If you can, switch to the much simpler php PDO extension.

Doing all of the above will simplify the code and improve the user experience (UX.)

If I/someone has time, they will post an example showing these practices.

Edit2: in looking at the code more closely, you have variables that are not being used, variables that are but don’t exist, and naming changes and mismatches. Your database table column names should indicate the meaning of the data and you should use those same names for the form fields.

Also, phone numbers are not integers. They are formatted strings that consist of numeric characters. Treating them as integers will loose things like leading zeros on area/international codes and can cause truncation if the integer size is not great enough to hold the values.


#3

A little snippet to illustrate what phdr has posted:

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {

  array_walk($_POST, function(& $value){
    $value = trim($value);
  });

  //form validation code

    if (//no errors exist) {
        require "../outside/root/databaseFile.php";
        //handle form processing
        //redirect to processing completed landing page
        exit;
    } else {
        //handle errors and error display/redirect
        exit;
    }

} else {
  header("Location: /get/out/path");
  exit;
}

?>

databaseFile.php

<?php

//some programmers use constants instead of variables
  $host = "localhost";
  $username = "";
  $password = "";
  $database = "";
//or store creds in a .inc file to be required
//also add driver options here to simplify the matter
  $driverOptions = array(
    PDO::ATTR_EMULATE_PREPARES => false,
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
  );

try {

  $conn = new PDO("mysql:host=$host; dbname=$database; charset=utf8mb4", $username, $password, $driverOptions);
  $query = 'SELECT email From CT_expressedInterest Where email = ? Limit 1';

  $stmt = $conn->prepare($query);
  $stmt->execute([$email]);
  $result = $stmt->fetch();

  //continue handling database

} catch (PDOException $e) {
    error_log($e->getMessage());
    //if not fatal, then code to continue.
}

?>