How do I successfully insert records from HTML form using php cleandata and sanitize functions

Tags: , ,



I have written a script to add records into my database with include functions for clean and sanitize the input data and my db connection file with query functions respectively but my problem is that once I submit the form No Closeable Alert message is displayed and record is not inserted into the table either. Here is my script for record insertion

<?php
include('includes/functions.php');


//Require Database
include('includes/pdocon.php');

//instatiating our database objects
$db    = new Pdoconn;

if(isset($_POST['submit'])){

//Collect Raw Data for Cleaning
$raw_firstName   = cleandata($_POST['fname']);
$raw_lastName    = cleandata($_POST['lname']);
$raw_username    = cleandata($_POST['username']);
$raw_email       = cleandata($_POST['email']);
$raw_pass        = cleandata($_POST['password']);
$raw_phone       = cleandata($_POST['phone']);
$raw_dateJoin    = cleandata($_POST['jdate']);
$raw_role        = cleandata($_POST['role']);
$raw_employId    = cleandata($_POST['employeeid']);

//Sanitize the Cleandate
$c_fname        = sanitizeValue($raw_firstName);
$c_lname        = sanitizeValue($raw_lastName);
$c_username     = sanitizeValue($raw_username);
$c_email        = validatemail($raw_email);
$c_password     = sanitizeValue($raw_pass);
$c_phone        = valint($raw_phone);
$c_jdate        = sanitizeValue($raw_dateJoin);
$c_role         = sanitizeValue($raw_role);
$c_employId     = sanitizeValue($raw_employId);

//Hash Password
$Hashed_Pass    = hashpassword($c_password);

//Query to Insert/Add Employees in employees Table
$db->query('INSERT INTO employees(id, firstName, lastName, username, email, password, employeeId, joiningDate, phone, role)VALUES(NULL, :fname, :lname, :username, :email, :password, :employeeId, :joiningDate, :phone, :role)');

//Bind Values to Query Parameters
$db->bindvalue(':fname', $c_fname, PDO::PARAM_STR);
$db->bindvalue(':lname', $c_lname, PDO::PARAM_STR);
$db->bindvalue(':username', $c_username, PDO::PARAM_STR);
$db->bindvalue(':email', $c_email, PDO::PARAM_STR);
$db->bindvalue(':password', $Hashed_Pass, PDO::PARAM_STR);
$db->bindvalue(':employeeId', $c_employId, PDO::PARAM_STR);
$db->bindvalue(':joiningDate', $c_jdate, PDO::PARAM_STR);
$db->bindvalue(':phone', $c_phone, PDO::PARAM_INT);
$db->bindvalue(':role', $c_role, PDO::PARAM_STR);

//Query to Check whether Staff Already Exist using Email
$db->query('SELECT * FROM employees WHERE email=:email');

//Bind Email Value
$db->bindvalue(':email', $c_email, PDO::PARAM_STR);

//fetch Row
$row            = $db->fetchSingle();

//check role
if($row){

    redirect('employees.php');
    //Closeable Alert Message
    keepmsg('<div class="alert alert-danger text-center">
        <a href="#" class="close" data-dismiss="alert" aria-label="close">&times;</a>
        <strong>Not Successful!</strong> Staff Already Exist, Pls Register another one.
        </div>');
}else{

//Run Query
$run_employee    = $db->execute();

if($run_employee){

    redirect('employees.php');
    //Closeable Alert Message
    keepmsg('<div class="alert alert-success text-center">
        <a href="#" class="close" data-dismiss="alert" aria-label="close">&times;</a>
        <strong>Success!</strong> Employee Registered Successfully.
        </div>');
}else{
    //Closeable Alert Message
    keepmsg('<div class="alert alert-danger text-center">
        <a href="#" class="close" data-dismiss="alert" aria-label="close">&times;</a>
        <strong>Not Successful!</strong> Employee Was Not Registered.
        </div>');
    }

}

}

?>

Answer

After debugging I discovered that I was trying to first insert the records with a message before checking whether the candidate I was inserting already existed thereby making the if and else statements to be complicated logically.

//Query to Insert/Add Employees in employees Table
$db->query('INSERT INTO employees(id, firstName, lastName, username, email, password, employeeId, joiningDate, phone, role)VALUES(NULL, :fname, :lname, :username, :email, :password, :employeeId, :joiningDate, :phone, :role)');

//Bind Values to Query Parameters
$db->bindValue(':fname', $c_fname, PDO::PARAM_STR);
$db->bindValue(':lname', $c_lname, PDO::PARAM_STR);
$db->bindValue(':username', $c_username, PDO::PARAM_STR);
$db->bindValue(':email', $c_email, PDO::PARAM_STR);
$db->bindValue(':password', $Hashed_Pass, PDO::PARAM_STR);
$db->bindValue(':employeeId', $c_employId, PDO::PARAM_STR);
$db->bindValue(':joiningDate', $c_jdate, PDO::PARAM_STR);
$db->bindValue(':phone', $c_phone, PDO::PARAM_INT);
$db->bindValue(':role', $c_role, PDO::PARAM_STR);

//Query to Check whether Staff Already Exist using Email
$db->query('SELECT * FROM employees WHERE email=:email');

I thanked everyone for trying to help me out in this messy situation.