i have html contact form in user allowed write whatever wants in message input field. form being posted using ajax , being processed in below php.
my problem empty row in mysql table.
i wondering why $message = $_post['message']; returns proper value, when $message = mysql_real_escape_string($_post['message']); returns empty string!!
what missing here??
//posted data $firstname = mysql_real_escape_string($_post['firstname']); $lastname = mysql_real_escape_string($_post['lastname']); $name = $firstname. ' ' .$lastname ; $email = mysql_real_escape_string($_post['email']); $phone = mysql_real_escape_string($_post['phone']); $subject = mysql_real_escape_string($_post['subject']); $hear = mysql_real_escape_string($_post['hear']); $message = mysql_real_escape_string($_post['message']); $db_server = mysql_connect($db_hostname, $db_username, $db_password) // check if duplicates $query_usercheck = " select * `test` name='$name' , email='$email' , phone='$phone' , subject='$subject' , message='$message' "; //matching fields $usercheck = mysql_query($query_usercheck) or die(mysql_error()); $row_usercheck = mysql_fetch_assoc($usercheck); $totalrows_usercheck = mysql_num_rows($usercheck); if ( $totalrows_usercheck > 0 ) { $duplicate = 'yes'; } else { $duplicate = 'no'; //adding application data mysql database $add = mysql_query("insert `test` (`date`, `day`, `time`, `name`, `email`, `phone`, `subject`, `from`, `message`) values ('$date','$day','$time','$name','$email','$phone','$subject','$hear','$message')"); } // close mysql mysql_close();
the problem connect database after mysql_real_escape_string. please move connecting database before escaping variables.
even better, rid of deprecated mysql_* functions (there gone in php7)! use mysqli or better: use pdo prepared statements mysql_real_escape_string not safe.
Comments
Post a Comment