2

I have a big form

This form is processed by a PHP file called by a serialize jQuery function

foreach($_GET['claimant'] as $k=>$v) {
$insClaim = "INSERT INTO `cR_Claimants` (`memberID`, `ParentSubmission`, `Name`, `DOB`, `Company`, `Email`, `MainPhone`, `OtherPhone`, `MobilePhone`, `OwnershipPercentage`, `Address`, `ZIPcode`, `Country`) VALUES ('".$memberID."', '".$refNumb."', '".mysql_real_escape_string($v['name'])."', '".$v['DOB']."', '".mysql_real_escape_string($v['company'])."', '".$v['email']."', '".$v['mainPhone']."', '".$v['alternatePhone']."', '".$v['mobilePhone']."', '".mysql_real_escape_string($v['percentage'])."', '".mysql_real_escape_string($v['address'])."', '".$v['ZIP']."', '".$v['country']."')";
$resultinsClaim=mysql_query($insClaim) or die("Error insert Claimants: ".mysql_error());
}

The problem is that $_GET['claimant'] in certain cases can be empty. I mean that the relative field has not been entered at all.

When this happens obviously the Insert should not run when that specific $_GET['claimant'] is empty.

I tried the two following solutions, but they do not work, the Insert runs anyway, putting in my DB empty strings.

Please help.

foreach($_GET['claimant'] as $k=>$v) {
if($_GET['claimant'] != "") {
$insClaim = "INSERT INTO `cR_Claimants` (`memberID`, `ParentSubmission`, `Name`, `DOB`, `Company`, `Email`, `MainPhone`, `OtherPhone`, `MobilePhone`, `OwnershipPercentage`, `Address`, `ZIPcode`, `Country`) VALUES ('".$memberID."', '".$refNumb."', '".mysql_real_escape_string($v['name'])."', '".$v['DOB']."', '".mysql_real_escape_string($v['company'])."', '".$v['email']."', '".$v['mainPhone']."', '".$v['alternatePhone']."', '".$v['mobilePhone']."', '".mysql_real_escape_string($v['percentage'])."', '".mysql_real_escape_string($v['address'])."', '".$v['ZIP']."', '".$v['country']."')";
$resultinsClaim=mysql_query($insClaim) or die("Error insert Claimants: ".mysql_error());
}
}

AND

foreach($_GET['claimant'] as $k=>$v) {
if(!empty($_GET['claimant'])) {
$insClaim = "INSERT INTO `cR_Claimants` (`memberID`, `ParentSubmission`, `Name`, `DOB`, `Company`, `Email`, `MainPhone`, `OtherPhone`, `MobilePhone`, `OwnershipPercentage`, `Address`, `ZIPcode`, `Country`) VALUES ('".$memberID."', '".$refNumb."', '".mysql_real_escape_string($v['name'])."', '".$v['DOB']."', '".mysql_real_escape_string($v['company'])."', '".$v['email']."', '".$v['mainPhone']."', '".$v['alternatePhone']."', '".$v['mobilePhone']."', '".mysql_real_escape_string($v['percentage'])."', '".mysql_real_escape_string($v['address'])."', '".$v['ZIP']."', '".$v['country']."')";
$resultinsClaim=mysql_query($insClaim) or die("Error insert Claimants: ".mysql_error());
}
}
Improve this question
4
  • 2
    You need to validate your data before adding it in your query. this is very bad practice Commented Jun 4, 2011 at 20:20
  • also is $_GET['claimant'] an array of data? Commented Jun 4, 2011 at 20:21
  • Can you do a print_r on the $_GET['claimant'] and post the results up? Commented Jun 4, 2011 at 20:22
  • of course all the answers below are wild guesses, because nobody knows the content of your get variable. do a print_r($_GET). and add the result to your question. then you will get some real help Commented Jun 4, 2011 at 20:36

3 Answers 3

Reset to default
2

If $_GET['claimant'] is an array, you should ask for its length:

if (count($_GET['claimant']) > 0) { ... }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

The check should be:

if(!empty($v)) {
    // Stuff here
}

This is assuming that the GET variable actually contains an array of arrays.

Most likely you don't need the foreach.

This code is also vulnerable to SQL injection, all parameters needs to be escaped before entered into a SQL query

Try this instead:

$vals = $_GET['claimant'];
if(!empty($vals)) {
    $query = "INSERT INTO `cR_Claimants` (`memberID`, `ParentSubmission`, `Name`, `DOB`, `Company`, `Email`, `MainPhone`, `OtherPhone`, `MobilePhone`, `OwnershipPercentage`, `Address`, `ZIPcode`, `Country`) VALUES ('".$memberID."', '".$refNumb."', '".mysql_real_escape_string($vals['name'])."', '".mysql_real_escape_string($vals['DOB'])."', '".mysql_real_escape_string($vals['company'])."', '".mysql_real_escape_string($vals['email'])."', '".mysql_real_escape_string($vals['mainPhone'])."', '".mysql_real_escape_string($vals['alternatePhone'])."', '".mysql_real_escape_string($vals['mobilePhone'])."', '".mysql_real_escape_string($vals['percentage'])."', '".mysql_real_escape_string($vals['address'])."', '".mysql_real_escape_string($vals['ZIP'])."', '".mysql_real_escape_string($vals['country'])."')";
    $resultinsClaim=mysql_query($insClaim) or die("Error insert Claimants: ".mysql_error());
}
Improve this answer

2 Comments

None of the above are working. $_GET['claimant'] is an array of values. My users have some inputs, some of those inputs are the same. Lets say they can write details for 1 or more Claimants. Each claimant has other fields as you see in the INsertion. But the users can even enter the details on only 1 Claimant, this is when all the other empty fields should checked and not considered in the loop.
Is $_GET['claimant'] an array of values or an array of arrays of values? You most likely need to perform any validation before the creation of the query.
0

Not sure why you're using a foreach() loop here..._GET['claimant'] is probably not an array of values unless you have multiple fields on your form called claimant[].

Just do this:

$claimant = $_GET['claimant'];
if( $claimant != ""){
    $insClaim = "YOUR REALLY LONG QUERY";
    // etc.
}

ALSO: please, please, please use mysql_real_escape_string() on all incoming request parameters.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.