Php inserts blank data into table

Question

My code inserts an empty record into the MySQL table "activate" instead of getting the data activate.html. It calls upon activate.php which I stripped down. I also should add that I am new to php, but am aware of injection attacks. I originally had some of the security issues addressed, but as I said, have stripped down the code to get to the root of the problem. Also, when I echo the form fields, they populate, just not into the MySql table. Any ideas why? Thank you in advance.

<?php
$host = "host"; // Host name
$username = "user"; // Mysql username
$password = "pass"; // Mysql password
$db_name = "db"; // Database name
$tbl_name = "activate"; // Table name

// Connect to server and select database.

mysql_connect("$host", "$username", "$password") or die("cannot connect");
mysql_select_db("$db_name") or die("cannot select DB");

// Get values from form

if (isset($_POST['submit'])) {
    $esn = mysql_real_escape_string($_POST['esn']);
    $esnverify = mysql_real_escape_string($_POST['esnverify']);
    $zip = mysql_real_escape_string($_POST['zip']);
    $comments = mysql_real_escape_string($_POST['comments']);
}

// Insert data into mysql

$sql = "INSERT INTO $tbl_name (esn, esnverify, zip, comments) VALUES ('$esn', '$esnverify', '$zip', '$comments')";
$result = mysql_query($sql);

// if successfully insert data into database, displays message "Successful".

if ($result) {
    echo "Successful";
    echo "<br />";
    echo $_POST['esn'];
    echo "<br />";
    echo $_POST['esnverify'];
    echo "<br />";
    echo $_POST['zip'];
    echo "<br />";
    echo $_POST['comments'];
    echo "<br />";
    echo "<a href='thankyou.html'>Back to main page</a>";
}
else {
    echo "ERROR";
}

?> 

    <?php

// close connection

mysql_close();
?>

Activate.html

<form method="post" action="activate.php">
<p><b>ESN:</b> <input type="text" id="esn" name="esn" maxlength="50"><br/>
<b>Confirm ESN:</b> <input type="text" name="esnverify" id="esnverify" maxlength="50"><br/>
<b>Zip:</b> <input type="text" name="zip" id="zip" maxlength="5"><br/>

<p>Your comments:<br />
<textarea name="comments" rows="10" cols="40" id="comments" maxlength="500"></textarea></p>

<p><input type="submit" value="Send it!"></p></form>

Answer 1

   <?php
$host = "host"; // Host name
$username = "user"; // Mysql username
$password = "pass"; // Mysql password
$db_name = "db"; // Database name
$tbl_name = "activate"; // Table name

// Connect to server and select database.

mysql_connect("$host", "$username", "$password") or die("cannot connect");
mysql_select_db("$db_name") or die("cannot select DB");

// Get values from form

if (isset($_POST['submit'])) {
    $esn = mysql_real_escape_string($_POST['esn']);
    $esnverify = mysql_real_escape_string($_POST['esnverify']);
    $zip = mysql_real_escape_string($_POST['zip']);
    $comments = mysql_real_escape_string($_POST['comments']);


// Insert data into mysql

$sql = "INSERT INTO $tbl_name (esn, esnverify, zip, comments) VALUES ('$esn', '$esnverify', '$zip', '$comments')";
$result = mysql_query($sql);

// if successfully insert data into database, displays message "Successful".

if ($result) {
    echo "Successful";
    echo "<br />";
    echo $_POST['esn'];
    echo "<br />";
    echo $_POST['esnverify'];
    echo "<br />";
    echo $_POST['zip'];
    echo "<br />";
    echo $_POST['comments'];
    echo "<br />";
    echo "<a href='thankyou.html'>Back to main page</a>";
}
else {
    echo "ERROR";
}

}

?> 

    <?php

// close connection

mysql_close();
?>

Also, change this in html code:

add name='submit' to input field/submit button.

Answer 2

Even if $_POST['submit'] is not set (in which case your variables will have no values), your code will still attempt to insert the data into the table. This is why there are blank rows.

As Lion said in his comment, since your submit button has no name attribute, $_POST['submit'] will never be set, and therefore you will always insert blank data.