How Do I Prevent Blank Data from being Inserted into a MySQL Table?

Question

Also malicious inserts

I've seen this question asked but none of the responses worked for me (or rather I was too stupid to make them work). I think I need personalized help. Every time I refresh my php page it inserts blank data. How do I prevent blank and/or malicious data from being inserted.

This is my code:

 <?php

    $con = mysql_connect("localhost","user","pass") or die ("Couldn't connect!");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }

    mysql_select_db("streams") or die ("Couldn't find db");

    $sql="INSERT INTO streams (streamname)
    VALUES ('$_POST[streamname]')";

    if (!mysql_query($sql,$con))
    {
        die('Error: ' . mysql_error());
    }

    echo "1 record added";


    mysql_close($con)

?>

<form action="submit.php" method="POST">
    Stream Name: <input type="text" name="streamname" id="streamname" /><br />
    <input type="submit" name="submit" value="Stream" />
</form> 

Answer 1

Wrap it with some defensive logic:

if(!empty($_POST['streamname'])) {

    // Your code here
}

Answer 2

You should be escaping the input.

$sql='INSERT INTO streams (streamname)
VALUES ("'.mysql_real_escape_string($_POST[streamname]).'")';

Answer 3

Try checking if POST params are set :

 <?php

if($_POST) {

    $con = mysql_connect("localhost","user","pass") or die ("Couldn't connect!");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }

    mysql_select_db("streams") or die ("Couldn't find db");

    $sql="INSERT INTO streams (streamname)
    VALUES ('$_POST[streamname]')";

    if (!mysql_query($sql,$con))
    {
        die('Error: ' . mysql_error());
    }

    echo "1 record added";


    mysql_close($con);
}

?>

<form action="submit.php" method="POST">
    Stream Name: <input type="text" name="streamname" id="streamname" /><br />
    <input type="submit" name="submit" value="Stream" />
</form>