I'm trying to validate my form before inserting into database with this code, but I keeps printin 'You missed a value'. I would like your help to figure out the problem.
Thanks
<?php
$username = mysql_real_escape_string($_POST['username']);
$pword = mysql_real_escape_string($_POST['passwd']);
$fname = mysql_real_escape_string($_POST['firstname']);
$lname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$telephone = mysql_real_escape_string($_POST['telephone']);
$ad1 = mysql_real_escape_string($_POST['ad1']);
$ad2 = mysql_real_escape_string($_POST['street']);
$ad3 = mysql_real_escape_string($_POST['town']);
$pcode = mysql_real_escape_string($_POST['pcode']);
if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")
echo 'You missed a value';
exit();
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("people", $con);
//$description = mysql_real_escape_string($_POST[description]);
$pword = md5($pword);
$sql="INSERT INTO members (username, pword, fname, lname, email, telephone, ad1, ad2, ad3, pcode)
VALUES
('$username','$pword','$fname', '$lname', '$email','$telephone','$ad1','$ad2','$ad3','$pcode')";
if (!mysql_query($sql,$con)){
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con)
?>
You should validate off the raw POST values, not the mysql_real_escape_string ones. Also you are comparing to (space) not empty string and assigning them not comparing them.
if( $username == '' || $pword == '' || $fname == '' || $lname == '' || $email == '')
You are assigning an empty space to the variables by doing $var = "", instead of comparing with with the comparison operators $var == '', or stricter $var === ''.
This would be a little bit cleaner code to follow and maintain:
function sqlEscape($string){
return "'".mysql_real_escape_string($string)."'";
}
if( $_POST['username'] == ''
|| $_POST['passwd'] == ''
|| $_POST['firstname'] == ''
|| $_POST['lastname'] == ''
|| $_POST['email'] == '')
{
exit('You missed a value');
}
$con = mysql_connect('localhost', 'root', '');
if (!$con){
die('Could not connect: ' . mysql_error());
}
mysql_select_db('people', $con);
//$description = mysql_real_escape_string($_POST[description]);
$pword = md5($_POST['passwd']);
$sql = sprintf('INSERT INTO members (username, pword, fname, lname, email, telephone, ad1, ad2, ad3, pcode)
VALUES(%s, %s, %s, %s, %s, %s, %s, %s, %s, %s)',
sqlEscape($_POST['username']),
sqlEscape($pword),
sqlEscape($_POST['firstname']),
sqlEscape($_POST['lastname']),
sqlEscape($_POST['email']),
sqlEscape($_POST['telephone']),
sqlEscape($_POST['ad1']),
sqlEscape($_POST['street']),
sqlEscape($_POST['town']),
sqlEscape($_POST['pcode']));
if (!mysql_query($sql,$con)){
die('Error: ' . mysql_error());
}
echo '1 record added';
mysql_close($con)
I added in a function (sqlEscape) to run all the mysql_real_escape_string, just to make the escapes a piece of cake. Notice that I am calling this function after the MySQL connection has been established, because mysql_real_escape_string will NOT work without a connection.
check your if condition use == instant of =
wrong
if( $username = " " || $pword = " " || $fname = " " || $lname = " " || $email = " ")
Use == instead of = in your if's.
if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")
take out the spaces in this line and you need double equals
if( $username = " " || $pword = " " || $fname = " " || $lname = " " || $email = " ")
change to
if( $username == "" || $pword == "" || $fname == "" || $lname == "" || $email == "")
if( $username = " ") does not compare but assign, use if( $username == " ") instead – which still checks, whether the input is a single space-char, which maybe mostly isn't. To check if a variable has content or not use if(empty($username)).
Also its maybe better for you to use array_map on the $_POST-array to escape the values:
array_map(function($value) {
return mysql_real_escape_string($value);
}, $_POST);
(If you're prior to PHP 5.3, you need to use a separate function declaration instead of an anonymous callback.)
Yeap, the sign "=" is to set a variable, the comparaison sign is "==" or "===" in PHP.
btw, to minimize your code you can use "array_map" to apply "mysql_real_escape_string" function to your POST array :
$post = array_map("mysql_real_escape_string", $_POST);
= is assignment operator. It gives a value.
== is comparison operator. It compares the 2 things.
=== is also a comparison operator, but it compares whether the values and the variable types are the same. You need to remember that.
Also, you can also make your code clearer like this (it's just an example, don't copy paste it because it can be improved and it's not exactly safe):
foreach($_POST as $key => $value)
{
$columns[] = $key;
$value = mysql_real_escape_string($value);
$values[] = "'" . $value ."'";
if(empty($value))
{
$errors[] = 'POST with key '. $key .' was not filled in';
}
}
if(!isset($errors))
{
$query = "INSERT INTO (". implode(',', $columns .") VALUES (". implode(',', $values .")";
}
else
{
echo implode('<br />', $errors);
}
While learning how to program, if you find yourself copypasting certain code - you then know it's something you can code more intelligently.
if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")
{
echo 'You missed a value';
exit();
}
I think you should add this line after assigning your variables:
if($_SERVER['REQUEST_METHOD']== 'POST'){if( $username == " " || $pword == " " || $fname == " " || $lname == " " || $email == " ")
echo 'You missed a value';
exit();
}
//OTHER CODE
Related
I have a little Problem with my Update query to chnage the Profile Infos
Problem now:
My Update Query is not working completly, the E-Mail query work but the status query is not working.
PHP CODE
if(!empty($_POST)) {
$query = "UPDATE users SET";
if(!empty($_POST['email']) && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) && $_POST['email'] != $_SESSION['u']['email']) {
$s_mail = $_POST['email'];
$row = mysql_num_rows(mysql_query("SELECT email FROM users WHERE email='$s_mail'"));
if($row != 0) {
header("Location: ".$l['settings']."?msg=2");
die("REDIRECT");
}
$query .= " `email`='".$_POST['email']."'";
$_SESSION['u']['email'] = $_POST['email'];
} else if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
header("Location: ".$l['settings']."?msg=3");
die("REDIRECT");
}
//PROBLEM starts here
if(!empty($_POST['status'])) {
$query .= ",`status`='".$_POST['status']."'";
$_SESSION['u']['status'] = $_POST['status'];
}
//AND ends here
$query .= " WHERE id='".$_SESSION['u']['id']."'";
mysql_query($query);
header("Location: ".$l['settings']."?msg=1");
die("REDIRECT");
}
HTML FORM
<input maxlength="200" type="text" class="form-control" placeholder="Status" name="status" value="<?php //ECHO STATUS ?>" />
Maybe someone can help me.
On your $query you have
$query .= ",`status`='".$_POST['status']."'";
remove comma make it like this
$query .= " `status`='".$_POST['status']."'";
You need to set a flag for email condition as
$flag = FALSE;// set a flag
if (!empty($_POST)) {
if (!empty($_POST['email']) && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) && $_POST['email'] != $_SESSION['u']['email']) {
$s_mail = $_POST['email'];
$row = mysql_num_rows(mysql_query("SELECT email FROM users WHERE email='$s_mail'"));
if ($row != 0) {
header("Location: " . $l['settings'] . "?msg=2");
die("REDIRECT");
}
$flag = TRUE;// set to true if success
$_SESSION['u']['email'] = $_POST['email'];
} else if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
header("Location: " . $l['settings'] . "?msg=3");
die("REDIRECT");
}
//PROBLEM starts here
if (!empty($_POST['status'])) {
$query = "UPDATE users SET";
$query .= " `status`='" . $_POST['status'] . "'";
if ($flag) {// if true then apply email condition
$query .= ",`email`='" . $_POST['email'] . "'";
}
$query .= " WHERE id='" . $_SESSION['u']['id'] . "'";
$_SESSION['u']['status'] = $_POST['status'];
}
//AND ends here
mysql_query($query);
header("Location: " . $l['settings'] . "?msg=1");
die("REDIRECT");
}
Note:- mysql is deprecated instead use mysqli OR pdo
I have a php/html from where the user enters a number of values which are then updated into a database by using mysqli and a insert query, If the user does not enter anything into any of the text boxes I want a message to appear saying that the information is not there, I have tried using
if($ownerName == "" ){
echo("Missing Information!");
but it won't work.
Here is my php code
<?php
include "connect.php";
if($_POST["submit"])
{
$ownerName = $_POST['OwnerName'];
$location = $_POST['Location'];
$phoneNumber = $_POST['PhoneNumber'];
if($ownerName == "" || $location == "" || $phoneNumber == ""){
echo("Missing Information!");
/*if(is_numeric($phoneNumber) ){
settype($phoneNumber, "integer");
}*/
$query = "INSERT INTO OWNER VALUES ('$ownerName','$location', $phoneNumber)";
if (!mysqli_query($con,$query))
{
die('Error: ' . mysqli_error($con));
}
echo "<script type='text/javascript'>alert('1 record added')</script>";
mysqli_close($con);
}
?>
Here is my form
<html><head><title>Connect to Database</title></head><body>
<font size="4"> Enter owner details</font><br><br>
<form action="update.php" method="post" >
Owner Name:<input type="text" name="OwnerName">
Location: <input type="text" name="Location">
Phone Number:<input type="text" name="PhoneNumber">
<input type="submit" name = "submit" value="Submit Value">
</form></body></html>
try this:
if((!isset($ownerName)) || $ownerName == "" || (!isset($location)) || $location == "" || (!isset($phoneNumber)) || $phoneNumber == "")){
echo("Missing Information!");
/*if(is_numeric($phoneNumber) ){
settype($phoneNumber, "integer");
}*/
}
else{
$query = "INSERT INTO OWNER VALUES ('$ownerName','$location', $phoneNumber)";
if (!mysqli_query($con,$query))
{
die('Error: ' . mysqli_error($con));
}
echo "<script type='text/javascript'>alert('1 record added')</script>";
mysqli_close($con);
}
Try this
Change your condtion from
if($ownerName == "" || $location == "" || $phoneNumber == ""){
echo("Missing Information!");
$query = "INSERT INTO OWNER VALUES ('$ownerName','$location', $phoneNumber)";
if (!mysqli_query($con,$query))
{
die('Error: ' . mysqli_error($con));
}
echo "<script type='text/javascript'>alert('1 record added')</script>";
mysqli_close($con);
}
to
if($ownerName == "" || $location == "" || $phoneNumber == ""){
echo("Missing Information!");
} else {
$query = "INSERT INTO OWNER VALUES ('$ownerName','$location', $phoneNumber)";
if (!mysqli_query($con,$query))
{
die('Error: ' . mysqli_error($con));
}
echo "<script type='text/javascript'>alert('1 record added')</script>";
mysqli_close($con);
}
<?php
include "connect.php";
if(isset($_POST["submit"]))
{
$ownerName = isset($_POST['OwnerName']) ? $_POST['OwnerName']: '';
$location = isset($_POST['Location']) ? $_POST['Location']: '';
$phoneNumber = isset($_POST['PhoneNumber']) ? $_POST['PhoneNumber']: '';
//preventing sql injection
/*
$ownerName = mysqli_real_escape_string($con, $ownerName);
$$location = mysqli_real_escape_string($con, $ownerName);
$$phoneNumber = mysqli_real_escape_string($con, $ownerName);
*/
if(empty($ownerName) || empty($location) || empty($phoneNumber)){
echo("Missing Information!");
/*if(is_numeric($phoneNumber) ){
settype($phoneNumber, "integer");
}*/
}else{
$query = "INSERT INTO OWNER VALUES ('$ownerName','$location', $phoneNumber)";
if (!mysqli_query($con,$query))
{
die('Error: ' . mysqli_error($con));
}
echo "<script type='text/javascript'>alert('1 record added')</script>";
}
mysqli_close($con);
?>
Also try using var_dump($_POST) to see what is sent.
EDIT:
I've updated if/else statement so now it should work. Also, make sure you have your error reporting enabled:
<?php
// Turn off error reporting
error_reporting(0);
// Report runtime errors
error_reporting(E_ERROR | E_WARNING | E_PARSE);
// Report all errors
error_reporting(E_ALL);
// Same as error_reporting(E_ALL);
ini_set("error_reporting", E_ALL);
// Report all errors except E_NOTICE
error_reporting(E_ALL & ~E_NOTICE);
?>
Try this
<?php
include "connect.php";
if($_POST["submit"])
{
$ownerName = $_POST['OwnerName'];
$location = $_POST['Location'];
$phoneNumber = $_POST['PhoneNumber'];}
if(empty($ownerName) && empty($location) && empty($phoneNumber))
{
echo("Missing Information!");}
/*if(is_numeric($phoneNumber) ){
settype($phoneNumber, "integer");
}*/
else{
$query = "INSERT INTO OWNER VALUES ('$ownerName','$location', $phoneNumber)";
if (!mysqli_query($con,$query))
{
die('Error: ' . mysqli_error($con));
}
echo "<script type='text/javascript'>alert('1 record added')</script>";
mysqli_close($con);
}
?>
Try this:
<?php
include "connect.php";
if($_POST["submit"])
{
$ownerName = $_POST['OwnerName'];
$location = $_POST['Location'];
$phoneNumber = $_POST['PhoneNumber'];
if($ownerName == "" || $location == "" || $phoneNumber == ""){
echo("Missing Information!");
}
else{
$query = "INSERT INTO OWNER VALUES ('$ownerName','$location', $phoneNumber)";
if (!mysqli_query($con,$query))
{
die('Error: ' . mysqli_error($con));
}
echo "<script type='text/javascript'>alert('1 record added')</script>";
}
mysqli_close($con);
}
?>
**Please replace your code from below code**
<?php
include "connect.php";
if($_POST["submit"])
{
$ownerName = $_POST['OwnerName'];
$location = $_POST['Location'];
$phoneNumber = $_POST['PhoneNumber'];
if($ownerName == "" || $location == "" || $phoneNumber == ""){
echo("Missing Information!");
} else {
// please replace your column name (`owner_name`, `location`, `phone_number`)
$query = "INSERT INTO OWNER (`owner_name`, `location`, `phone`) VALUES ('" . $ownerName . "', '" . $location. "', " . $phoneNumber. ")";
if (!mysqli_query($con, $query))
{
die('Error: ' . mysqli_error($con));
}
echo "<script type='text/javascript'>alert('1 record added')</script>";
mysqli_close($con);
}
}
?>
Try to use empty() function or isset()
<html>
<?php
$firstName = isset ($_GET["firstName"]);
$lastName = isset ($_GET["lastName"]);
if(isset($_GET['firstName'])&& isset($_GET['lastName'])){
if (isset($_GET['firstName']) == "Kory" && isset($_GET['lastName']) == " ") {
echo "Hello Kory";
}
}
if(isset($_GET['firstName'])&& isset($_GET['lastName'])){
if (isset($_GET['firstName']) == " " && isset ($_GET['lastName']) == "Glover") {
echo "Hello";
}
}
if(isset($_GET['firstName'])&& isset($_GET['lastName'])){
if (isset($_GET['firstName']) == " " && isset($_GET['lastName']) == " ") {
echo "Hello";
}
}
?>
</html>
why not just this:
if(isset($_GET['firstName'])&& isset($_GET['lastName'])){
echo $_GET['firstName']." ".$_GET['lastName'];
}
the reason why this does not work is this:
if (isset($_GET['firstName']) == "Kory" && isset($_GET['lastName']) == " ")
if (true or false) == "Kory" will never be true
The function isset() checks if a variable is set (see the doc). Once you know that it is set, you just need to use $_GET. You only need to check whether the variables are set once, so you code can be minimized to this:
$firstName = $_GET["firstName"];
$lastName = $_GET["lastName"];
if (isset($_GET['firstName']) && isset($_GET['lastName'])) {
if ($firstName == "Kory" && $lastName == " ") {
echo "Hello Kory";
}
if ($firstName == " " && $lastName == "Glover") {
echo "Hello";
}
if ($firstName == " " && $lastName == " ") {
echo "Hello";
}
}
I've made this php code for filtering the results from a mysql database. It works very well, but I'm sure this is not the most efficient way (or proper use of the language) to achieve the desired results. I'm trying my best to get "good" at writing code and would appreciate some feedback on how I could do this better.
$filter = "";
if (isset($_POST['submit']))
{
$aircraft_reg = "";
$prefix = "";
$part_number = "";
$flight_control = "";
if(!empty($_POST['aircraft_reg']))
{
$aircraft_reg = "aircraft_reg = '" . $_POST['aircraft_reg'] . "'";
}
if(!empty($_POST['prefix']))
{
$prefix = "prefix = '" . $_POST['prefix'] . "'";
}
if(!empty($_POST['part_number']))
{
$part_number = "part_number = '" . $_POST['part_number'] . "'";
}
if(!empty($_POST['flight_control']))
{
$flight_control = "flight_control = '" . $_POST['flight_control'] . "'";
}
if ($aircraft_reg != "" && ($prefix != "" || $part_number != "" || $flight_control != ""))
{
$a = " AND ";
}
else
{
$a = "";
}
if ($prefix != "" && ($part_number != "" || $flight_control != ""))
{
$b = " AND ";
}
else
{
$b = "";
}
if ($part_number != "" && $flight_control != "")
{
$c = " AND ";
}
else
{
$c = "";
}
if ($aircraft_reg != "" || $prefix != "" || $part_number != "" || $flight_control != "")
{
$filter = "WHERE " . $aircraft_reg . $a . $prefix . $b . $part_number . $c . $flight_control;
}
}
$result = mysql_query("SELECT * FROM installed $filter ORDER BY aircraft_reg , part_number, date_installed ASC");
You only need follow this pattern:
$result = mysql_query("
SELECT *
FROM installed
WHERE
".($_POST['aircraft_reg']?"aircraft_reg=" .mysql_real_escape_string($_POST['aircraft_reg']):"1" )." AND
...
ORDER BY aircraft_reg , part_number, date_installed ASC");
another alternative:
foreach($_POST as $key => $val)
if($key!="submit" and $val)
$filters[] = "$key='".mysql_real_escape_string($val)."' ";
$result = mysql_query("
SELECT *
FROM installed
".(isset($filters)?"WHERE ".implode("AND ",$filters):"")."
ORDER BY aircraft_reg , part_number, date_installed ASC");
I suggest you using something well-established such as ActiveRecord:
http://www.phpactiverecord.org/
No need to re-invent the wheel (unless this is purely for learning, in which case, carry on!)
... in the case this is purely for learning, don't forget to escape any REQUEST data such as those $_POSTs that you're using, with something like mysql_real_escape_string
Quick:
Use array_key_exists to see if something is in $_POST
Do not put $_POST values directly in your SQL, escape them. More info when you Google for SQL injection attack
I would validate/sanitize your input first, and then create the query in one go:
if (array_key_exists("partnumber", $_POST) {
$part_number = validate_partnumber($_POST['partnumber']);
$part_number = escape_for_db($part_number);
}
$q = ".... WHERE part_number='$part_number' ....";
Other than that, it doesn't look too bad.
You can try this, as conditional operator has less time complexity than if()-else(). Moreover less use of variables will cause less memory allocation, hence it is faster and more optimized than the one you used.
Another thing, using mysql_real_escape_string() prevent sql injection.
$filter = "";
if (isset($_POST['submit']))
{
$condition_count = 0;
if(!empty($_POST['aircraft_reg']))
{
$filter = " WHERE aircraft_reg = '" . mysql_real_escape_string($_POST['aircraft_reg']) . "'";
$condition_count++;
}
if(!empty($_POST['prefix']))
{
$condition_count > 0?$filter .= " AND prefix = '" . mysql_real_escape_string($_POST['prefix']) . "'":$filter .= " WHERE prefix = '" . mysql_real_escape_string($_POST['prefix']) . "'";
$condition_count++;
}
if(!empty($_POST['part_number']))
{
$condition_count > 0?$filter .= " AND part_number = '" . mysql_real_escape_string($_POST['part_number']) . "'":$filter .= " WHERE part_number = '" . mysql_real_escape_string($_POST['part_number']) . "'";
$condition_count++;
}
if(!empty($_POST['flight_control']))
{
$condition_count > 0?$filter .= " AND flight_control = '" . mysql_real_escape_string($_POST['flight_control']) . "'":$filter .= " WHERE flight_control = '" . mysql_real_escape_string($_POST['flight_control']) . "'";
$condition_count++;
}
}
$result = mysql_query("SELECT * FROM installed ".$filter." ORDER BY aircraft_reg , part_number, date_installed ASC");
if (!isset($_POST['submit'])) exit;
$aircraft_reg = $_POST['aircraft_reg'];
$prefix = $_POST['prefix'];
$part_number = $_POST['part_number'];
$flight_control = $_POST['flight_control'];
$result = mysql_query("
SELECT *
FROM installed
where
aircraft_reg = if('$aircraft_reg' = '', aircraft_reg, '$aircraft_reg')
and
prefix = if('$prefix' = '', prefix, '$prefix')
and
part_number = if('$part_number' = '', part_number, '$part_number')
and
flight_control = if('$flight_control' = '', flight_control, '$flight_control')
ORDER BY aircraft_reg , part_number, date_installed
");
If this is for real then don't forget to sanitize the user input or you will be an easy sql injection victim.
I'm getting the following two errors when loading my page:
Notice: Undefined variable: realtor in C:\Program Files\EasyPHP-5.3.9\www\cglst\images\addform.php on line 255
and
Notice: Undefined variable: phone in C:\Program Files\EasyPHP-5.3.9\www\cglst\images\addform.php on line 256
I do define both those variables, though, so I don't understand why I'm getting these errors. Here is my code:
function addListing() {//if data was provided, insert it into database and confirm
//this will allow everything to be sanitized properly
require_once "sanitize.php";
$submitted = false;
//Checking if values were passed
if (isset($_POST['area']) &&
isset($_POST['price']) &&
isset($_POST['address']) &&
isset($_POST['bedrooms']) &&
isset($_POST['fullbath']) &&
isset($_POST['halfbath']) &&
isset($_POST['sqft']))
//if passed, sanitize and set variables accordingly
{
$area = sanitizeOne(get_post('area'), 'plain');
$price = sanitizeOne(get_post('price'), 'int');
$address = sanitizeOne(get_post('address'), 'plain');
$bedrooms = sanitizeOne(get_post('bedrooms'), 'int');
$fullbath = sanitizeOne(get_post('fullbath'), 'int');
$halfbath = sanitizeOne(get_post('halfbath'), 'int');
$sqft = sanitizeOne(get_post('sqft'), 'int');
$submitted = true;
}
//optional fields
if (isset($_POST['remarks']))
{
$remarks = sanitizeOne(get_post('remarks'), 'plain');
}
else
{$remarks = ' ';}
if (isset($_POST['realtor']))
{
$remarks = sanitizeOne(get_post('realtor'), 'plain');
}
else
{$realtor = "Anne-Marie Pelletier";}
if (isset($_POST['phone']))
{
$remarks = sanitizeOne(get_post('phone'), 'plain');
}
else
{$phone = "201.710.5500";}
if ($submitted) {
$query = 'PREPARE statement FROM "INSERT INTO bix(area, price, address, bedrooms,
fullbath, halfbath, sqft, remarks, realtor, phone) VALUES(?,?,?,?,?,?,?,?,?,?)"';
mysql_query($query);
$query = 'SET
#area = "' . $area . '"' .
'#price = "' . $price . '"' .
'#address = "' . $address . '"' .
'#bedrooms = "' . $bedrooms . '"' .
'#fullbath = "' . $fullbath . '"' .
'#halfbath = "' . $halfbath . '"' .
'#sqft = "' . $sqft . '"' .
'#remarks = "' . $remarks . '"' .
'#realtor = "' . $realtor . '"' . //line 255
'#phone = "' . $phone . '"'; //line 256
mysql_query($query);
$query = 'EXECUTE statement USING #area,#price,#address,#bedrooms,#fullbath,#halfbath,#sqft,#remarks,#realtor,#phone';
mysql_query($query);
$query = 'DEALLOCATE PREPARE statement';
mysql_query($query);
return true;
}
}
function get_post($var)
{
return mysql_real_escape_string($_POST[$var]);
}
This is simply adding an entry to a database if it was submitted (the page submits a form to itsself to do this)
Your problem is here, a cut'n'paste error;
if (isset($_POST['realtor']))
{
$remarks = sanitizeOne(get_post('realtor'), 'plain');
}
else
{$realtor = "Anne-Marie Pelletier";}
If realtor is set as a post parameter, you assign the post variable's value to $remarks instead of to $realtor.
$phone has the exact same problem.
If the phone value was passed you are setting the remarks variable to the phone content, if its not set you are setting the fixed phone
change:
if (isset($_POST['phone']))
{
$remarks = sanitizeOne(get_post('phone'), 'plain');
}
else
{$phone = "201.710.5500";}
to
if (isset($_POST['phone']))
{
$phone = sanitizeOne(get_post('phone'), 'plain');
}
else
{$phone = "201.710.5500";}
Same for the realtor
To debug the all-null problem, try to record a record without realtor or phone i.e. using the defaults in code. if you get those two values stored, then the problem is in santizeOne, post the code to that for us to help. If its not try to capture the output of all the first to queries and post it.
You are never assigning anything to $realtor or $phone.
if (isset($_POST['realtor']))
{
$remarks = sanitizeOne(get_post('realtor'), 'plain');
}
you probably mean to use $realtor = sanitizeOne(get_post('realtor'), 'plain');
same for $phone.