0

As soon as you enter the web page it enters into the SQL table, even if you do not submit, immediately after you enter the web page it sends a blank to the SQL table, here is the codes both the HTML form and the PHP form.

<form name="" method="POST" action="">
<input class="" type="text" name="a1" id="a1" class="placeholder" placeholder="Enter the FRATERNITY Name">
<input class="" type="text" name="a2" id="a2" class="placeholder" placeholder="Enter YOUR Name">
<style>

<?php

$host="";
$username="";
$password="";
$database_name="";
$table_name="";

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$database_name")or die("cannot select DB");

$a1=$_POST['a1'];
$a2=$_POST['a2'];

$sql="INSERT INTO $table_name(groupname, founder)VALUES('$a1', '$a2')";
$result=mysql_query($sql);

if($result){
echo "Group $a1 Has Been Created";

}

else {
echo "ERROR";
}
?> 

<?php 
// close connection 
mysql_close();
?>
Improve this question
1
  • You have a SQL injection vulnerability here. Commented Jun 7, 2015 at 12:11

1 Answer 1

Reset to default
2

You need to check it if it's a post request, and then only execute your code. See below:

if($_SERVER['REQUEST_METHOD'] == "POST"){
    $host="";
    $username="";
    $password="";
    $database_name="";
    $table_name="";

    mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
    mysql_select_db("$database_name")or die("cannot select DB");

    $a1=mysql_real_escape_string($_POST['a1']);
    $a2=mysql_real_escape_string($_POST['a2']);

    $sql="INSERT INTO $table_name(groupname, founder)VALUES('$a1', '$a2')";
    $result=mysql_query($sql);

    if($result){
    echo "Group $a1 Has Been Created";

    }

    else {
    echo "ERROR";
    }
    ?> 

    <?php 
    // close connection 
    mysql_close();
}

Note that your code as it stands is vulnerable to a SQL injection attack. I've untainted the two input strings to protect against this.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

Thanks for the explanation! Makes a lot of sense, I really do appreciate your answer!
Welcome, and note: mysql_* functions are depreciated and will be removed in future, so use PDO instead
i understand exactly what you pointed out to me and added, yet it is still only refreshing when submitted nothing happens. ALTHOUGH, it is not sending blanks into the database any longer.
after if you refresh, browser will prompt you that you are again sending the post request, to prevent this, you can redirect to the same page, at the end like header('location:thesamepage.php');
@halfer Mine was just example, how to get it done, however Agree to you, that it should be in practice :), updated answer respectively!
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.