PHP - Form submitting when CAPCHA wrong

I am having to change code to replace outdated PHP statements.  It was working with this code

include('admin/connect.php');
if(isset($_POST['send'])){
	
	$name=$_POST['name'];
    $title=$_POST['title'];
    $story=$_POST['story'];
    $ip=$_SERVER['REMOTE_ADDR'];
    
$query="INSERT INTO guestbook (name, title, story, ip) VALUES ('$name', '$title', '$story', '$ip')";
$result=mysql_query($query);   
	
	if($_SESSION['security_code'] == $_POST['security_code']){
		if ($success){
		echo '<p class="yay">All is well, your e&ndash;mail has been sent.</p>';
		} 
	} else {
		echo '<p class="oops">Something went wrong; maybe you clicked it too hard... you did, didn&rsquo;t you?</p>';
	}
} else {
?>

Open in new window


Now I have changed it to this

if(isset($_POST['send'])){
	
	$name=$_POST['name'];
    $title=$_POST['title'];
    $story=$_POST['story'];
    $ip=$_SERVER['REMOTE_ADDR'];
    
//$query="INSERT INTO guestbook (name, title, story, ip) VALUES ('$name', '$title', '$story', '$ip')";
$result = mysqli_query($mysqli,"INSERT INTO guestbook (name,title,story, ip) VALUES ('$name','$title', '$story','$ip' )");
//$result=mysql_query($query);
$row = mysqli_fetch_row($result); 
	
	if($_SESSION['security_code'] == $_POST['security_code']){
		if ($success){
		echo '<p class="yay">All is well, your e&ndash;mail has been sent.</p>';
		} 
	} else {
		echo '<p class="oops">Something went wrong; maybe you clicked it too hard... you did, didn&rsquo;t you?</p>';
	}
} else {
?>

Open in new window


The problem is the CAPTCHA will identify that is was not filled out correctly but the data still inserts into the table - can anyone see why?

Thanks
JohnMac328Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
Check this for information on CAPTCHA.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html

In the code above the flow of logic is from top to bottom.  The query to insert data is run before the comparison of the security codes.  You want to rearrange that, so that the work is run in the correct order.  There are other things wrong, too -- for example, the $success variable is undefined.  To catch those sorts of things you want to add error_reporting(E_ALL) to the top of your PHP scripts.
0
JohnMac328Author Commented:
But the $success variable was not defined in the first example and it works so I am confused
0
Ray PaseurCommented:
"Works" is relative.  What PHP is doing with undefined variables is casting them to a loose comparison "false" element.  Trust me, you do not want undefined variables in your code.  That's why the professionals raise the error_reporting() levels to the highest and most stringent possible settings.

If you're new to PHP and want some good learning resources, this article can help.  It can take a while to learn this stuff, but at least you won't be looking at online links and trying to guess if they are good or bad examples!
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11769-And-by-the-way-I-am-new-to-PHP.html
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

hieloCommented:
On line 10 if your first post (the "old" code), $result will be either true or false:
For other type of SQL statements, INSERT, UPDATE, DELETE, DROP, etc, mysql_query() returns TRUE on success or FALSE on error.

http://php.net/manual/en/function.mysql-query.php

Thus, you need to get rid of line 11 on your new code
$row = mysqli_fetch_row($result);

Open in new window

because it does not apply.  An INSERT statement does NOT return any records, thus there is nothing to "fetch".  If you are using $row somewhere else later in the code, then your code is most likely not doing what you expect.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hieloCommented:
FYI:
A should be the default grade awarded unless the answer is deficient...
http://support.experts-exchange.com/customer/portal/articles/481419
0
JohnMac328Author Commented:
Ok
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.